A chilling demonstration to a small, packed room at the RSA security conference today showed how clicking a single bad Web link while using a phone running Google's Android operating system could give an attacker full remote control of your phone. Once George Kurtz and colleagues from security startup CrowdStrike were done, they could record phone calls, intercept text messages, and track the hacked phone's location at all times.
"What is ubiquitous, has a camera, a microphone, knows where you are at all times, is always on, and stores your sensitive information?" asked Kurtz. "The smart phone is the ultimate spying tool."
Smart phones have been hacked before, but Kurtz said this was the first public demonstration of an end-to-end system able to wrest control of one remotely with just a single click on a Web link.
Targeted attacks, designed to steal intellectual property or valuable information from corporations and their executives, have become relatively common in recent years. For some time, security experts have warned that mobile devices offer a way that such attacks could become more pervasive and effective, and today's demo lends weight to that case.