Mobile Apps Vulnerable to Malicious Bypass Code

Monday, February 21, 2011



During a keynote address at the RSA Conference in San Francisco last week, McAfee CTO George Kurtz revealed that supposedly secure mobile applications may be still vulnerable to manipulation.

The ongoing assumption has been that applications offered in the app marketplace have been vetted for security, but McAfee researchers have evidence that some mobile applications that have been approved for distribution may not be as secure as consumers would expect.

McAfee created an application similar to the popular "flashlight" offering. Kurtz described how the team was able to produce an "approvable" application that could be manipulated after the fact to and enable remote functionality via a command and control server.

With the malicious code installed, McAfee demonstrated how SMS messages could be sent, data harvested, and mobile payments executed at will.

“...if you downloaded it then it will connect to Twitter and look for hashtags to connect to our command and control centre. It can continue to post to the server, as the app regulates with the server and downloads a remote code... we put the app with the code and created a command and control centre backend. The app checks in with this backend server and can steal photos off the phone. We also used it to send an SMS to the Red Cross but we are not donating, the victim is,” Kurtz explained.

Kurtz is confident the application would have been been approved for distribution in the app marketplace as written, and questioned whether it is safe to assume companies like Google and Apple really have the time and the resources to ensure the massive onslaught of new applications are truly secure.

“If you download something from an app store are you assuming it is OK? When do Apple [or Google] have time to go over three million apps with a fine tooth comb?"


Possibly Related Articles:
PDAs/Smart Phones
Apple Google RSA malware Application Security McAfee Mobile Devices Headlines
Post Rating I Like this!
Carlson lson I would like to start a new research on paper writing services but I am bit confused on how the process goes. Are there any stimulations and restrictions for this research? Please help me with all the necessary things and with the information in my site so that the information will be helpful to me. I will be waiting for all of your response. Thank you.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.