Imagine a vulnerability that would allow malware to take over your mobile device; turn on the microphone, camera and GPS; and transmit everything it hears, while simultaneously sending copies of e-mail and text messages to a remote server. Sounds like a nightmare, right? Unfortunately, it exists. Worse, your security software can’t stop it.
George Kurtz, CEO of the newly launched CrowdStrike security company, said a group of researchers at his company repurposed and weaponized some Chinese malware and now control it from the company's own servers. Kurtz, who was CTO of McAfee until Intel bought the company, said any mobile device using the Webkit browser -- which includes Android, iOS and some BlackBerry devices -- is vulnerable to this malware.
Kurtz planed to demonstrate this vulnerability at the RSA Conference in San Francisco Feb. 29, 2012, and its threat is especially serious because there’s no real effective protection against it until the mobile device browser is updated. Adding to the problem is the fact that mobile software companies aren’t always very prompt in updating their software, and frequently release different updates of the same software version to different customers, which is why Android is so fragmented. This means that it’s unlikely that all vulnerable devices will ever be fixed.
CrowdStrike approaches security through determining the threats against an organization and how those threats might be implemented. Kurtz said in an interview for my FierceMobileIT newsletter that the real target of any security effort should be on the person or group sending out the malware more than on the malware itself.
Kurtz noted about the only thing a company can do is to make sure the devices for which it is responsible are kept updated, and users are trained not to click on links that arrive in e-mail or text messages. Yes, it's old advice. But maybe users will pay attention this time if they know that once this malware enters their phone or tablet, someone might be watching everything they do, hearing everything they say and reading their mail.
The only upside might be that those watching also are getting all of the user's spam.