You've probably never stopped to think about all the funny facial expressions you make when you're busy flinging Angry Birds at Bad Piggies, but if your phone has secretly been turned into a "spy phone," then an attacker could tell you because he or she could snap pictures of you as you play. If you don't play Angry Birds, then don't start feeling smug and secure, because it only took about two weeks for security researchers to write malicious code that can be injected into any Android app on the Google Play store. Although this was originally aimed at Android, don't feel left out, iPhone users, as you too can have your phone turned into a "cyber-surveillance" device.
In a Black Hat talk titled "How to Build a SpyPhone,"Kevin McNamee, the Director of Alcatel-Lucent's Kindsight Security Labs, demonstrated how to turn your iPhone or Android smartphone into a spy phone that could allow an attacker "to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected." And unless you noticed the app asked for unusual permissions when installed, then you'd never be the wiser and never know your phone was connected to a command-and-control server.
One of the first things the malicious and stealthy app does is turn down the phone's volume so you don't hear the camera secretly snapping photos. An attacker could also remotely activate the microphone, which would allow the recording of everything from business meetings to adventures in the bedroom. Although an iPhone shows a preview of videos or pictures, McNamee made the preview show up as only one pixel so no Apple fans would notice it.
McNamee used Angry Birds as the model for a malicious app dubbed DroidWhisperer, and then submitted his version of "Angry Birds" to a third-party app store. After installation, an attacker could text or email your contacts to suggest they too download the app. A hacker/cyberstalker could also map and keep track of your location; it could monitor your social media and web browsing activity as well as your conversations. It sounds about like something the spooks would love to deploy.
"What the hacker sees is both scary and impressively simple," reported VentureBeat. "A small dashboard shows different devices connected to the C&C through the app. He can click on a target phone and data such as the phone number, e-mail address, contact list, unique identifier, and carrier pop up immediately. At the top of the dashboard there are different action buttons to take a picture, record video and audio, and send text messages and push notifications."
Sign up for CIO Asia eNewsletters.