New Security Threat Against 'Smart Phone' Users

New Security Threat Against 'Smart Phone' Users

The researchers, who are presenting their findings at a mobile computing workshop in Maryland, demonstrated how such a software attackcould cause a smart phone to eavesdrop on a meeting, track its owner's travels, or rapidly drain its battery to render the phone useless. These actionscould happen without the owner being aware of what happened or what caused them.

"Smart phones are essentially becoming regular computers, they runthe same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by malicious software, or 'malware.'" Smart phones are cellular telephones that also offer Internet accessibility, texting and e-mail capabilities and a variety of programs commonly called "apps," or applications.

The researchers, are behind a nefarious type of malware known as"rootkits." Unlike viruses, rootkits attack the heart of a computer's software and its operating system. They can only be detected from outside a corrupted operating system with a specialized tool known as a virtual machine monitor, which can examine every system operation and data structure.

Virtual machine monitors exist for desktop computers, but in current form, they demand more processing resources and energy than a portable phonecan currently support.

Rootkit attacks on smart phones or upcoming tablet computers could be more devastating because smart phone owners tend to carry theirphones with them all the time. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directoriesor just pinpoint a user's whereabouts by querying the phone's Global Positioning System (GPS) receiver. Smart phones also have new ways formalware to enter the system, such as through a Bluetooth radio channel orvia text message.

In one test, the researchers showed how a rootkit could turn on a phone's microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone telling it to place a call and turn on the microphone, such as when the phone's owner is in a meeting and the attacker wants to eavesdrop.

In another test, they demonstrated a rootkit that responds to a text query for the phone's location as furnished by its GPS receiver. This would enable an attacker to track the owner's whereabouts. Finally, they showed a rootkit turning on power-hungry capabilities, such as the Bluetooth radio & GPS receiver to quickly drain the battery. An owner expecting remaining battery life would instead find the phone dead.

The researchers are careful to note that they did not assess how vulnerable specific types of smart phones are. They did their work on a phone used primarily by software developers versus commercial phone users. Working within a legitimate software development environment, they deliberately inserted rootkit malware into the phone to study its potential effects.They did not find a vulnerability that a real malware attacker would have to exploit.

.