Cyber security experts have uncovered a flaw in a component of the operating system of Google Inc’s Android smartphone that they say hackers can exploit to gain control of the devices.
Researchers at CrowdStrike, a start-up cyber security firm, said they had figured out how to use the bug to launch attacks and take control of some Android devices.
CrowdStrike, which will demonstrate its findings next week at a major computer security conference in San Francisco, said the attacker sends an email or text message that appears to be from a trusted source, such as the user's phone carrier. The message urges the recipient to click on a link, which, if done, infects the device.
At that point, the hacker gains complete control of the phone, enabling him or her to eavesdrop on phone calls and monitor the location of the device, said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.
Google spokesman Jay Nancarrow declined comment on Crowdstrike's claim.
| A PIECE OF the MOBILE PIE Share of different mobile operating systems in the global and Indian markets | ||
| Operating System | Market share (%) | |
| Global | India | |
| SymbianOS | 31.89 | 65.1 |
| iOS | 24.04 | 16.62 |
| Android | 23.21 | 8.00 |
| BlackBerry OS | 6.94 | 5.05 |
| Samsung | 5.84 | 1.23 |
| Sony Ericsson | 1.75 | 0.73 |
| bada | 0.52 | 0.23 |
| Others | 5.81 | 3.04 |
| Source: Statcounter.com | ||
More From This Section
Alperovitch said the firm conducted the research to highlight how mobile devices were increasingly vulnerable to a type of attack widely carried out against personal computers. In such instances, hackers find previously unknown vulnerabilities in software, and exploit those flaws with malicious software delivered through tainted links or attached documents.
He said smartphone users needed to prepare themselves for this type of attack, which, typically, could not be identified or thwarted by mobile device security software.
“With modifications and, perhaps, use of different exploits, this attack will work on every smartphone device and represents the biggest security threat to those devices,” said Alperovitch, who was the vice president of threat research at McAfee Inc before co-founding CrowdStrike.
Researchers at CrowdStrike were not the first to identify such a threat, though such warnings are less common than reports of malicious applications that make their way to online websites, such as Apple’s App Store or the Android Market.
In July 2009, researchers Charlie Miller and Collin Mulliner figured out a way to attack Apple’s iPhone by sending malicious code embedded in text messages, invisible to the phone’s user. Apple repaired the bug a few weeks after the pair warned it of the problem.
The method devised by CrowdStrike currently works on devices running Android 2.2, also known as Froyo. That version is installed on about 28 per cent of all Android devices, according to a Google survey conducted over the two weeks ended February 1.