IBM (NYSE:IBM) security researchers said they have discovered a way to exploit an Android flaw that puts more than 55% of Android phones at risk of being taken over and remotely controlled by cyber hackers.
The IBM cyber security analysts Or Peles and Roee Hay say the flaw could let cyber attackers plant fake apps and use them to take control of a phone. While Google (NYSE:GOOGL) has issued a patch for this threat for Android 5.1, Android 5.0, Android 4.4 and Android M devices, cyber pros say the fear is the patches may have yet to actually make it into these Android devices.
The vulnerability could allow attackers to ramp up their privileges via fake apps to gather sensitive user information. The fake apps are loaded with malware that can collect personal information, from, say a Facebook page, steal confidential banking information from a banking app or login credentials, even access a phone's camera, contacts list, stored files and email record. Cyber pros say the flaws give new impetus to the need for improving security of smart phones.
The IBM discovery comes after FireEye (NASDAQ:FEYE) has warned hackers have launched a scary new way to break into Apple (NASDAQ:AAPL) and Google mobile devices and steal information.
Victims are directed to download any of eleven fake apps that look like the real thing, including fraudulent apps for Facebook (NASDAQ:FB), Twitter (NASDAQ:TWTR) or WhatsApp. Click on the fake “Facebook” app, and it'll take you to your Facebook page. But it isn't Facebook controlling the app—it's hackers who now have your Facebook password and can watch everything you do there, FireEye warns.
Cyber pros have only theorized about this “masque” attack, “up until now, these attacks had never been seen carried out in the wild,” FireEye says. Masque attacks are defined as malicious apps uploaded, say, from emails directing victims to fake web links.
The fake apps come as Apple and Google face yet another big embarrassment over a fraudulent app sold in their app stores. The Federal Trade Commission just slammed a “false” app sold in their app stores for up to $4.99 called “Mole Detective” that made money off of victims by claiming it could help users find potentially cancerous melanoma moles on their bodies. The fake app has been around for at least three years, the FTC says.
The FTC said Avrom Lasarow and his company, L. Health Ltd., settled charges of making false and unsubstantiated claims for the app that instructed users to photograph a mole with their smartphone camera and upload the picture for analysis. Lasarow and his company settled for more than $58,000.
FireEye says it has recently uncovered eleven iOS apps that utilize masque attacks, wrote FireEye senior research scientist engineer Zhaofeng Chen on the company’s findings.
The eleven bad apps are: WhatsApp, Twitter, Facebook, Facebook Messenger, Google Chrome, Blackberry Messenger, Skype, WeChat, Viber, Telegram, and VK.
After they are installed onto an Android or Apple device, the bad apps hook up the device to communicate “with a remote server” so as to start grabbing your personal data. Here is a sample of what the hackers can steal via these fake apps:
• Voice call recording in Skype, Wechat, etc. • Text message intercepting in Skype, Whats App, Facebook messenger, etc. • Chrome visited website history • Phone call • SMS/iMessage content • Precise GPS coordinate recording in background • Contacts information • Photos