Black Hat: It's not 'tricky' for hackers to turn your phone into a SpyPhone

At Black Hat USA, a security researcher explained how to inject malicious code into any app so it can secretly take photos, record conversations, and track locations.

You've probably never stopped to think about all the funny facial expressions you make when you're busy flinging Angry Birds at Bad Piggies, but if your phone has secretly been turned into a "spy phone," then an attacker could tell you because he or she could snap pictures of you as you play. If you don't play Angry Birds, then don't start feeling smug and secure, because it only took about two weeks for security researchers to write malicious code that can be injected into any Android app on the Google Play store. Although this was originally aimed at Android, don't feel left out, iPhone users, as you too can have your phone turned into a "cyber-surveillance" device.

In a Black Hat talk titled "How to Build a SpyPhone," Kevin McNamee, the Director of Alcatel-Lucent's Kindsight Security Labs, demonstrated how to turn your iPhone or Android smartphone into a spy phone that could allow an attacker "to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected." And unless you noticed the app asked for unusual permissions when installed, then you'd never be the wiser and never know your phone was connected to a command-and-control server.

One of the first things the malicious and stealthy app does is turn down the phone's volume so you don't hear the camera secretly snapping photos. An attacker could also remotely activate the microphone, which would allow the recording of everything from business meetings to adventures in the bedroom. Although an iPhone shows a preview of videos or pictures, McNamee made the preview show up as only one pixel so no Apple fans would notice it.

McNamee used Angry Birds as the model for a malicious app dubbed DroidWhisperer, and then submitted his version of "Angry Birds" to a third-party app store. After installation, an attacker could text or email your contacts to suggest they too download the app. A hacker/cyberstalker could also map and keep track of your location; it could monitor your social media and web browsing activity as well as your conversations. It sounds about like something the spooks would love to deploy.

"What the hacker sees is both scary and impressively simple," reported VentureBeat. "A small dashboard shows different devices connected to the C&C through the app. He can click on a target phone and data such as the phone number, e-mail address, contact list, unique identifier, and carrier pop up immediately. At the top of the dashboard there are different action buttons to take a picture, record video and audio, and send text messages and push notifications."

"I do think the bad guys are doing something like this, injecting their malicious code into existing apps," McNamee said. "It's pretty straightforward. It requires the ability to unpackage and repackage apps. It's not exceptionally tricky, but it does require some knowledge of how the Android system works."

Kindsight Security Labs previously reported, "It is surprisingly easy to add a command and control interface to allow the attacker to control the device remotely, activating the phone's camera and microphone without the user's knowledge. This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device - all without the user's knowledge."

The report added, "When connected to the company's Wi-Fi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. With these features, an ordinary smartphone becomes the perfect platform for launching advanced persistent threats (APT)."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)