With dangerous new threats emerging every day targeting the massive mobile market, it's always a good decision to take security seriously by installing anti-virus software on your smartphone. But what if one of those threats could disable your anti-virus software, or even hijack it and turn it into a weapon? What would you do then?
These are, unfortunately, not hypothetical questions, and as security researcher Riley Hassell will demonstrate at a security conference next week, the answers are not comforting.
Hassell, the founder of Privateer Labs, has identified a flaw in Google's Android operating system that can be exploited by malicious apps to disable anti-virus software installed on the phone. As ZDNet Asia reported, Hassell's hack can also turn an Android phone's AV software into a malicious app, which can then be used to steal phone owners' private information, such as banking credentials.
According to Hassell, a hacker could take advantage of Android's lax app-vetting policy to create and publish a malicious app in Android's official Market that can perform this two-pronged attack on an Android's anti-virus software.
Hassell and his team will reveal their findings in a presentation called "Hacking Androids for Profit" at the Hack in the Box security conference, Oct. 10-13 in Malaysia. At the conference, the Privateer team also plans to reveal previously undisclosed flaws in Android apps.
Hassell said he tested his hack on "top-end" mobile anti-virus software. The attack, he said, has not been seen in the wild. Hassell has not released more information about the flaw, as he said he is scheduled to disclose the vulnerability to Google before the conference, giving the company a chance to address the problem before he makes it public.
This presentation could be another serious blow to Android security. In the past few months, Android's security has taken a number of serious blows, from text-stealing Trojans and data-harvesting malware to the more recent discovery that several HTC Android phones leak users' personal data.