Beware the next time you are prompted to download an app on your mobile phone: it could be one of the last things you do on that device.
Israeli security company Check Point has been around since the early 1990s, when a mobile phone was just a large plastic status symbol. But in the years since, the company has seen the devices go from voice handsets to supercomputers – and hence become targets for attacks.
As Gabi Reish, vice president of product for Check Point, explains: "suddenly the phone part of it was just one element; sometimes it is even the less important element. We call them smartphones but they’re really communication devices that are as strong and powerful as any computer."
With great power comes great security risk. At an exclusive briefing with CBR, Reish demonstrated how a seemingly innocuous application could be used to take total control of a mobile device.
To do this, he used a demo app designed by Check Point to hack his own iPhone and then control it remotely from his laptop.
"Let’s say you go to a conference. This is a typical situation: you get an email after you registered to click on this special app that has the agenda of the conference. You click on the link, and you get this mobile app which says you can view the agenda, ask about the sessions."
The email provides what seems to be links to Google Play and the App Store, with the official Google and Apple logos. However, when the user clicks these icons, they are immediately prompted to download the app, rather than being sent to the application stores.
Once the app is downloaded and the device owner has given it the appropriate permissions, the device is fully compromised.
"This device has been hacked and the owner is now in the board room or meeting room. The hacker can now take control of the device and do whatever he wants.
"First of all, I can collect some meta data. I’m also going to start recording."
Reish opens his email inbox (in this demo, the email account of the hacker), where a range of meta data is now available. These even include latitude and longitude coordinates, which when inputted into Google Maps reveal the current location of the phone.
In addition, Reish is able to play back a recording of the recent conversation.
"To protect these mobile devices is a different challenge to protecting a PC," Reish adds. "Installing an anti-virus on your laptop, it’s one of the first things you do. What’s important in the world of mobile is you need to have a very transparent user experience."
"What’s been happening is that more and more, with the strong advantage that the mobile experience has within enterprises, we’ve closed our eyes to the fact that this is a vulnerability to some extent. 21 years ago we were not against the internet, we were all about using security to help people to use the internet in a good way.
"We are doing the same thing with mobile these days. We understand that people are using mobile and think it’s a good thing; we are trying to say how can we implement security in the most transparent way that will not compromise the way the employee is using the device but will give them control of what’s been done and what hasn’t been done."
Who’s building this kind of malware – apart from security companies like Check Point, that is.
"There are two types of organisations that develop malware. It could be that I develop malware for a targeted attack; so it could be a state or criminal organisation that develops software or malware to attack a specific organisation.
"Another is malware development as a service. There are developers of malware that do that as part of a market. They develop software kits of malware and sell them on the black market for others to use."