A team of researchers at Palo Alto, Calif.-based antimalware vendor Dasient Inc. are expected to demonstrate a serious Android phone drive-by attack that could enable an attacker to gain network access and steal data off the phone.
Basically you can construct an exploit which gives you network access into the compromised phone.
Neil Daswani, CTO, Dasient Inc.
Web-based threats, such as drive-by attacks, have so far been limited to the desktop, but Dasient CTO Neil Daswani said his firm will demonstrate the latest Android phone attack at the Black Hat 2011 security conference in Las Vegas next month.
“It’s possible to write an attack such that when a user simply navigates to a webpage on a mobile phone, the attacker can get a backdoor channel to the phone,” Daswani said.
The Android attack the research team plans to demonstrate targets a flaw in the smartphone’s Webkit browser engine and a coding error in Skype to bypass Android’s sandbox isolation security feature. Webkit, a common browser engine, is used in many PC and mobile browsers. Google Chrome, Apple Safari and HP’s WebOS use Webkit to render webpages. Vulnerabilities have been discovered in Webkit in the past, and while many of them have been patched, some extremely difficult-to-patch memory corruption errors remain.
The Dasient research team took advantage of a flaw in the way Webkit parses a floating point number, a common coding technique that can be exploited to cause a buffer overflow, enabling an attacker to exploit malicious code or cause the browser to crash. Similar Webkit vulnerabilities have been patched by Apple and Google in the past.
“You can tell the browser to construct a floating point number; it won’t know how to handle it just right and basically you can construct an exploit which gives you network access into the compromised phone,” Daswani said.
Daswani said mobile drive-bys have been used on the iPhone in the past. A website used a drive-by technique that enables users to unlock and jailbreak their iPhone by simply visiting the site. The full details of the Android attack will be released Aug. 4 at Black Hat.
Privacy leaks via Android applications
Dasient has also found data leakage from hundreds of Android mobile applications. The security vendor’s research team conducted a behavioral analysis on over 10,000 Android applications and reported on privacy violations found in 800 of them. The results of the study will be released during the Black Hat 2011 presentation, Daswani said.
The team studied the network activity of the applications. In some instances, the applications tied into SMS, texting out messages to other smartphone users. The researchers also identified other applications that were transmitting the user device IDs, usernames and contact information off to various servers.
Unlike the DroidDream malware, discovered embedded in dozens of Android applications, most applications Dasient found leaking information were not intentionally malicious in nature. Many of the applications were coded incorrectly. In some cases, the developers attempted to secure sensitive data, but used encryption incorrectly, Daswani said. In other instances, the application was leaking sensitive data in the clear with no safeguards in place, he said.
“It’s clear the developers were not taking care with user’s private information,” he said. “These applications need to be coded and built more carefully if indeed we want mobile applications to maintain the trust of users.”