Skip to navigation
Latest News

NFC gives hackers access to Android phones

Android logo

By Stewart Mitchell and Reuters

Posted on 26 Jul 2012 at 08:44

Thieves could gain access to Android mobile phones via Near Field Communication (NFC) connections, researchers have shown.

According to serial phone hacker Charlie Miller, the hack would work with many NFC capable handsets, and casts a shadow over payment systems using the technology. "I can take over your phone," Miller said.

The hack – and a range of malware vulnerabilities - was shown off at the Black Hat hacking conference in Las Vegas, where 6,500 corporate and government security professionals gathered to learn about emerging threats to networks.

NFC allows users to share photos with friends, make payments or exchange other data by bringing Android phones within a few centimetres of similarly equipped devices, such as another smartphone or payment terminal.

Google has added some great security features, but nobody has them

Miller said he had created a device the size of a postage stamp that could be stuck in an inconspicuous place, such as near a cash register at a restaurant. When an Android handset is close enough, he could gain access to the system. Miller also showed off Bluetooth hacks to access data stored on handsets.

Miller and fellow hacking expert, Georg Wicherski of CrowdStrike, also infected an Android phone with a piece of malicious code that Wicherski unveiled in February. That piece of software exploits a security flaw in the Android browser that was publicly disclosed by Google's Chrome browser development team.

There's been an ongoing debate on the level of the malware threat to Android users, with some experts questioning scare tactics from antivirus firms. The demonstrations show the problem does at least exist, despite Google trying to improve the situation with its Bouncer detection system. "Google is making progress, but the authors of malicious software are moving forward," said Sean Schulte of Trustwave's SpiderLabs.

Update system a weakness

Google has fixed the flaw in Chrome, which is frequently updated, so that most users are protected, but Wicherski said Android users are still vulnerable because carriers and device manufacturers have not pushed those fixes or patches out to users.

Marc Maiffret, chief technology officer of the security firm BeyondTrust, said: "Google has added some great security features, but nobody has them."

Experts say iPhones and iPads don't face the same problem because Apple pushes out security updates fairly quickly after they are released.

Play Store exploits

Two Trustwave researchers also told attendees about a technique they discovered for evading Google's "Bouncer" technology for identifying malicious programs in its Google Play Store.

They created a text-message blocking application that uses a legitimate programming tool known as JavaScript Bridge. JavaScript Bridge lets developers remotely add new features to a program without going through the normal Android update process.

Companies including Facebook and LinkedIn use JavaScript Bridge for legitimate purposes, according to Trustwave, but it could also be exploited maliciously.

To prove their point, the researchers loaded malicious code onto one of their phones and remotely gained control of the browser. Once they did that, they could force it to download more code and grant them total control.

"Hopefully Google can solve the problem quickly," said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs. "For now, Android is the Wild West."

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Another scare tactic helpful to Apple fanboys.

"Experts say iPhones and iPads don't face the same problem because Apple pushes out security updates fairly quickly after they are released."

What planet are you on?
Both Iphones and iOS have both recently been hit by malware and still waiting for any fixes from Apple. They are no better or worse than MS or Android.

By curiousclive on 26 Jul 2012

curiousclive - there have been a couple of recent highly publicised instances of IOS and App malware, that has been nipped in the bud by Apple.
Compare that with the hundreds of rogue or infected apps designed to pray on Android users and their phones.
Of course Apple's IOS isn't imune, but its users are currently in a far better place than those using Android devices, where there is a completely open door for the bad guys to walk in.

By GoneWithTheWind on 27 Jul 2012

Apple are pretty poor at antimalware. Witness their desktop fiascos. True their track record on mobile is better, but that is basically because of process. I'm not sure that Apple nip anything in the bud - they try and proactively prevent, but nice the door opens they stick their heads in the sand for ages before actually doing anything. Enough mixed metaphors.

By Nodule on 27 Jul 2012

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.