As smartphones increasingly hold interesting data, attackers will target the devices using known vulnerabilities in common software packages.
One security researcher plans to show off just such an attack at next week's Black Hat Security Briefings in Las Vegas.
[ InfoWorld's Galen Gruman asks: How real is the promise of contextual mobile management? | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
In a presentation at the conference, Neil Daswani, chief technology officer for Web security firm Dasient, will show off a proof-of-concept attack that demonstrates a drive-by attack on an Android phone using a vulnerability in the Webkit framework that powers the common browser for the platform. The attack opens up a channel through which Daswani exploits a vulnerability in Skype to read information from the application and eavesdrop on chat conversations.
"These attacks are possible, not only for us, but for cybercriminals as well," Daswani says. "We need to have a solid understanding of how this works, so we can protect against these attacks."
The presentation will cover recent research carried out by Dasient, including the creation of the attack prototype and runtime analysis of a random sample of 10,000 applications from the Android app store, which found that about 29 percent of applications request permission to access a device identifier known as the IMEI, or the international mobile equipment identity.
In a drive-by download attack, a cybercriminal convinces a user to surf to a malicious or infected Web site, which then exploits vulnerabilities within the browser or associated plugins to insert code into the device. While drive-by downloads are not prevalent on mobile devices yet, it is a vector that attackers are investigating, Daswani says.