World Bulletin / News Desk
Hacking experts on Wednesday demonstrated ways to attack Android smartphones using methods they said work on virtually all such devices in use today, despite recent efforts by search engine giant Google to boost protection.
Experts showed off their prowess at the Black Hat hacking conference in Las Vegas, where some 6,500 corporate and government security technology workers gathered to learn about emerging threats to their networks.
"Google is making progress, but the authors of malicious software are moving forward," said Sean Schulte of Trustwave's SpiderLabs.
Google spokeswoman Gina Scigliano declined to comment on the security concerns or the new research.
Accuvant researcher Charlie Miller demonstrated a method for delivering malicious code to Android phones using a new Android feature known as near field communications.
"I can take over your phone," Miller said.
Near field communications allow users to share photos with friends, make payments or exchange other data by bringing Android phones within a few centimeters of similarly equipped devices such as another phone or a payment terminal.
Miller said he figured out how to create a device the size of a postage stamp that could be stuck in an inconspicuous place such as near a cash register at a restaurant. When an Android user walks by, the phone would get infected, said Miller.
He spent five years as a global network exploit analyst at the U.S. National Security Agency, where his tasks included breaking into foreign computer systems.
Miller and another hacking expert, Georg Wicherski of CrowdStrike, have also infected an Android phone with a piece of malicious code that Wicherski unveiled in February.
That piece of software exploits a security flaw in the Android browser that was publicly disclosed by Google's Chrome browser development team, according to Wicherski.
Google has fixed the flaw in Chrome, which is frequently updated, so that most users are now protected, he said.
But Wicherski said Android users are still vulnerable because carriers and device manufacturers have not pushed those fixes or patches out to users.
Marc Maiffret, chief technology officer of the security firm BeyondTrust, said: "Google has added some great security features, but nobody has them."
Experts say iPhones and iPads don't face the same problem because Apple has been able to get carriers to push out security updates fairly quickly after they are released.
Two Trustwave researchers told attendees about a technique they discovered for evading Google's "Bouncer" technology for identifying malicious programs in its Google Play Store.
They created a text-message blocking application that uses a legitimate programming tool known as java script bridge. Java script bridge lets developers remotely add new features to a program without using the normal Android update process.
Companies including Facebook and LinkedIn use java script bridge for legitimate purposes, according to Trustwave, but it could also be exploited maliciously.
To prove their point, they loaded malicious code onto one of their phones and remotely gained control of the browser. Once they did that, they could force it to download more code and grant them total control.
"Hopefully Google can solve the problem quickly," said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs. "For now, Android is the Wild West."
An American astronaut and two Russians who carried a Sochi Olympic torch into open space landed safely and on time on Tuesday in Kazakhstan
Elephants can tell whether a human poses a threat by listening to his voice and sussing out subtle clues about his age, gender and ethnicity, according to a study
Scientists had to abseil and scubadive to get into the caves, some of which are around 50 metres deep (165 feet). They found wall paintings and bone fragments left by the indigenous Kawesqar people that could help date the caves.
Asteroids have broken apart many times over the eons, but never before have scientists been able to witness it.
Should these ships become a reality, a total of 44% of expenses could be cut from operating cargo ships, according to industry consultant Moore Stephens LLP.
Earthuquake lights sometimes appear in the sky before an earthquake takes place and are often mistaken for UFOs.
Remains of the new species were unearthed in Portugal by an amateur fossil hunter in 2003 in the rock cliffs of Lourinhã
The females of an Asian swallowtail butterfly species known as the Common Mormon often mimic the appearance of another species of butterfly that is toxic for predators to eat
Scientists from Turkey designed 'the smart infrared cameras' to deal with dense fog related flight delays which cause thousands of flights to be postponed or cancelled each year.
Artificial muscles can bear 117 times more than natural muscles.
Scientific works by students aged between 11 and 15 in invention and design categories will take part in the olympiad.
GCHQ collected images from the webcam chats of more than 1.8 million users globally in a six-month period in 2008 alone
NASA'a Kelper telescope has discovered 715 new planets outside of our solar system.
The vault, which was designed to withstand all disasters, was opened in 2008 in order to store an adequate amount of seeds which would enable the human species to revive lost crops in the event of global disaster.
A cybersecurity firm said that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets
NASA says about 100 tons of material from space enter Earth's atmosphere every day. The moon, with no protective atmosphere, is fair game for celestial pot-shots