CrowdStrike, a start-up cyber-security firm has claimed that they have found a bug in Google’s Android that can enable hackers to gain complete control of devices. The details of these findings are to be revealed at a major computer security conference that takes place next week inSan Francisco.
The Chief Technology Officer and co-founder of CrowdStrike, Dmitri Alerovitch explained that the attacker first sends a link, disguising it to be from a trustable source such as the user’s carrier, and persuades the user to click on it. On the link being clicked, the device being used is infected and the hacker can gain access to all the data and services in the phone such as phone calls and the location of the device.
Alerovitch, who was the Vice President of Threat Research in McAfee Inc before co-founding CrowdStrike said that a great deal of research had been carried out regarding such attacks. These attacks had earlier been targeted towards PCs and have become increasingly common in mobile phones now, where hackers look for hidden flaws in operating software and create malicious software to attack users’ devices. He said that smartphone users today should be especially vigilant and that these attacks cannot be prevented by mobile security software.
He also stated that this kind of attack could be modified and extended towards other devices and could present a potential threat to all existing smartphone devices. Though this has not been the first such bug to be reported, they are not as common as malicious apps that make their way into services such as the AppStore or the Android Market.
The attacking method discovered by CrowdStrike works on Android 2.2, known as Froyo, which operates on 28 percent of all Google devices as of February 11th. Further, the company has said that another attack may be possible on Android 2.3 or Gingerbread devices as well, the OS version currently installed on 58 percent of all Android devices.
The current bug discovered by CrowdStrike is in a software platform called Webkit used by Android to run its web browser. The same is also used in Google Chrome and Apple iOS, the latter being widely used in the iPhone and the iPad. The company, however, said that the bug has not yet been tested to attack devices using iOS or Google Chrome.