What is the most un-nerving action hackers can do to your smartphone? Perhaps, hack into your camera and watch you as you go about your day? What about jack into your microphone and listen to everything you say in your daily meetings? Well, a series of vulnerabilities has been making news that allows attackers to do just that in your most personal devices.
Research teams at Checkmarx Security uncovered a way to bypass user permissions and manipulate specific smartphone actions. For this to work, the user must download a malicious mobile application through an app store. The malicious application itself doesn’t require any special permissions other than basic storage access which is common in mobile apps. Once the mobile application is installed on the phone, the app can issue an outbound connection from the phone to a server in the cloud that an attacker can control. The scary part is that the connection isn’t necessarily terminated just by closing the application.
This vulnerability has been patched for the most part by Google back in July. However, many users still don’t update their phones when prompted. They also delay their security patches time and time again. The rogue application download has been an attack vector time and time again to attack personal cell phones. The important takeaway from this vulnerability is that you need to do something about mobile security. Whether that’s managing your company’s phones through a mobile device management application, or just having better security hygiene with your personal devices.