McAfee reveals security flaws of smartphones calling Android devices the worst

At this week’s McAfee Focus event, it was shown just how easy it is to hack into someone else’s device. Even if you secure corporate phones, employees’ personal phones pose a significant risk.

This week at McAfee Focus the security vendor pounded home one point that it really didn’t think attendees understood. Virtually every smartphone can compromise enterprise security and with some enterprise security practices this may actually make us more vulnerable to attacks.

McAfee CTO Mike Fey demonstrated a proof of concept attack tool the company has developed to showcase just how easy it is to compromise current platforms. Most companies have been penetrated already, he says, with data analytics tools secretly installed so attackers can get a general sense of which user has the most systems authority or, in the case of banking, who moves the most cash. That’s who attackers target.

Typically, the attackers’ goals are to do a lot of damage, get access to confidential information or transfer cash. As an example, McAFee showcased a man-in-the-middle attack in which the browser session is hijacked and the user’s ID, password and challenge question answers are captured. From there, a cash transfer is executed, and the user is pointed to a false account screen that doesn’t show the transfer. This way, the user can’t stop the order until the cash is beyond retrieval.

A scarier demonstration followed. Starting with a Windows 7 PC, McAfee accessed the boot files and successfully reformatted the drive while the unsuspecting user was online. This, of course, would result in a recovery event—and if you can reformat the system, then there is little else you can’t do with it, even if you’re not in Admin mode.

The demo then moved to a Mac. This time, McAfee corrupted the firmware, which would not only destroy the data but require the machine be sent back to Apple for repair, since Apple doesn’t let IT departments or users flash firmware themselves. The scariest scenario of, though, involved Android. While the Windows and Mac attacks seemed complex, the Android attack was comparatively easy, and McAfee got the hacked product to overheat and cook itself, destroying the hardware.

McAfee also argued that attacks such as this are often associated with root kits. That makes it hard for security software that doesn’t have a fixed hardware component to address this successfully. While this was clearly a pitch for Deep Defender, which McAFee co-developed with parent company Intel and which is only made available to Windows machines at large business, it is interesting to note that the attack would not have worked on Windows 8. That showcased (intentionally or otherwise) one of the more endearing aspects of the new operating system: secure boot partition.

However, there is no Deep Defender for smartphones, though McAfee has released mobile security software for Android devices. All you need is to do is install a vulnerability in a compelling free app. Get a target to install the app, then attack the vulnerability to access what ever is on the device (passwords, IDs, addresses, bank account numbers and so on) and/or activate camera and microphone functionality to essentially turn the device into a spy.

While you can protect, to some extent, a business phone, how many employees have personal phones on the corporate network that you don’t know about? Let’s say you wanted to bug a politician, executive, security officer, teacher, competitor, ex-spouse, rival…etc. You just need to get them to use a compromised phone; if they carry two, you can go after their personal phone. You could make the compromised app look like some sort of promotion and, once it’s installed, turn that phone into a bug that’s constantly taking pictures or recording every meeting and conversation, even if the phone isn’t used for that particular call. You could try for a drive-by download, too.

While curated app stores like the Apple and Microsoft stores actively look for malware, they don’t aggressively check for bugs and wouldn’t know where to look for a creative exploit. If you build an app that is never widely sold or used, the chance of the exploit being found is low. If you root the phone, too, you can likely destroy the forensic data that would let an investigator figure out how this happened.

it’s probably wise to avoid banking on your smartphone and talking about anything sensitive in range of your phone. Something to keep in mind.