Over 6,500 security experts and specialists attended this year’s Black Hat Hacking Conference held in Las Vegas. Both government and corporate firms sent their representatives in a bid to learn more about security threats their networks may be facing.
One of the platforms that attracted so much attention was Android considering it is one of the new players in the mobile industry that has gained popularity in a short span of time. It goes without saying that it is also one of the most targeted platforms by hackers. Thus, security is a great concern for both the developers and users of the said mobile operating system.
One specialist from Trustwave’s SpiderLabs said that while Google has done necessary steps to fortify Android’s security, hackers are improving day-by-day and are moving forward in their exploits. Geeks with malicious intents are often found to be more advanced than corporate security technicians. Needless to say, they have more advanced knowledge or might have been exposed to too much challenges in finding loop holes that newer systems are just a piece of cake for them to manipulate.
“Google is making progress, but the authors of malicious software are moving forward,” said Sean Schulte.
Near Field Communication
One of the loopholes of Android smartphones, according to Accuvant researcher Charlie Miller, is the new near field communications (NFC) technology. People who know the workaround could easily take over the phone through this channel.
He said that he already knows how to create a device on a smaller scale which could be put in a subtle place that when an Android device is near enough, a malicious code could be sent giving him access to the phone.
Miller spent five years working with the U.S. National Security Agency whose tasks included breaking into computer systems.
Google Chrome Exploit
CrowdStrike’s Georg Wicherski shared that he was able to infect an Android device with a malicious code using Google’s Chrome browser flaw. He said that while Google is doing its job to find those flaws before hackers do, Android phone users are still vulnerable because manufacturers and carriers couldn’t immediately rollout updates to fix the possible points of exploits.
“Google has added some great security features, but nobody has them,” said Marc Maiffret, chief technology officer at BeyondTrust.
Java Script Bridge Exploit
Two researchers from Trustwave demonstrated an exploit on how to get past Google’s “Bouncer” technology for finding malicious applications submitted into Google Play Store. It could be done by using a legitimate programming tool known to many programmers as “Java Script Bridge,” which lets developers add new features to their apps remotely without having to pass through Android update process.
According to them, both LinkedIn and Facebook use this technology for legitimate purposes but they, too, can be exploited by hackers with malicious intents. To prove their point, they showed attendees they could easily load malicious code into one of their phones and gained control of the browser which they could manipulate to download more codes and gain total control of the device.
“Hopefully Google can solve the problem quickly,” said Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs.
Many security experts believe Android is still a wild west that many hackers—both with good and malicious intents—often meet.