RSA 2012: Zero-Day WebKit Flaw Allows Android Device Takeover

An unpublicised vulnerability in the WebKit browser code can be used to take control of Android devices, according to security start-up CrowdStrike.

The company is led by chief executive George Kurtz, former CEO of Foundstone and CTO of McAfee; and co-founder and chief technology officer Dmitri Alperovitch, formerly vice president of threat research at McAfee.

Mobile RATs

The two will unveil the company’s findings at a presentation during this week’s RSA Conference 2012, and will demonstrate how the attack works.

The Android attack falls into the category of Mobile Remote Access Tools (RATs), which allow an attacker full control of a mobile device such as a tablet or smartphone, CrowdStrike said.

“These devices are not just another data storage platform – they are an extension of your physical persona, capable of tracking your location, covertly activating your microphone or camera and intercepting phone calls and SMS,” CrowdStrike said in a statement.

The exploit makes use of a malicious, but seeming trustworthy, email message aimed at tricking a user into clicking on a link, Alperovitch told Reuters. Because the flaw is in WebKit, a browser code base used widely on platforms including RIM’s BlackBerry, Google’s Chrome browser and Apple iOS devices as well as Android, the attack could be made to work on practically every smartphone, Alperovitch said.

He said the attack currently works on Android 2.2 (‘Froyo’) and will shortly be updated to work on Android 2.3 (‘Gingerbread’). CrowdStrike has not yet attempted to develop the attack on iOS or Chrome, Alperovitch said.

Operation Shady RAT

While at McAfee last year Alperovitch led the team that discovered what was described at the time as the largest known co-ordinated cyber attack, dubbed Operation Shady RAT, targeting national governments including those of the US and Taiwan as well as international bodies such as the UN and the International Olympic Committee. The attack was believed to have originated from China’s national government.

CrowdStrike, too, will focus on attacks originating from nation-states, and will develop a new technology aimed at exposing such attacks before companies are infiltrated, Alperovitch said.

Malware targeting Android grew by 3,325 percent in 2011, according to a recent report from Juniper Networks. Android malware accounted for about 46.7 percent of unique malware samples that targeted mobile platforms, followed by 41 percent for Java Mobile Edition.

How well do you know Internet security? Try our quiz and find out!