Consumers rely on their smartphones for everything from snapping pictures to accessing email to storing sensitive personal information. And both hackers and the government are working to gather information from those devices.
Former National Security Agency contractor Edward Snowden on Monday told the BBC about efforts by intelligence agencies in the U.S. and the UK to take control of mobile devices using malware – and explained there “is very little” that smartphone users can do to stop them. Once they have access to the smartphone, agents or hackers can hijack a smartphone’s camera and microphone to take photos, video, and audio without a user’s knowledge.
There are valid reasons to hijack a phone in this way. Terrorists and other criminals often rely on pre-paid “burner” phones, which they discard from time to time, says former CIA operative Robert Baer.
If the NSA can hijack the burner phone and control the camera, however, “you might be able to identify the user by getting a shot of his face,” he says.
Drawing on his knowledge of confidential documents, Snowden revealed to the BBC that the UK’s Government Communications Headquarters has created a set of phone hacking programs called “Smurf Suite,” which are uploaded to a moblie device via a malicious text message. Perhaps the most sinister is “Dreamy Smurf,” which can remotely turn a phone off or on, enabling the agency to trigger the other malware programs like “Tracker Smurf,” which uses the phone’s GPS, and “Nosey Smurf,” which allows the agency to turn on the device’s microphone and record phone conversations.
Another feature called “Paranoid Smurf” makes it difficult for technicians to uncover that a phone has become infected, he told the BBC. This suite of malware programs can track a user’s phone activities like Web browsing and access stored files like phone contacts.
The NSA has invested $1 billion in a similar phone hacking project, Snowden told the BBC.
Such malware can also easily be used by hackers to exploit consumers. In July, Android users learned that a security gap in Google’s smartphone operating system potentially gave hackers access to their Stagefright media libraries via malware sent as a multimedia text message. Once the malware invades the library, the hackers could access each phone’s camera and mic.
While companies upgrade their cybersecurity, updates to such malware are shared covertly on encrypted servers that are part of the so-called “Dark Web,” and even a “reasonably skilled hacker” can use that software to launch attacks, says Clay Calvert, director of cybersecurity at MetroStar Systems.
Google has created a patch to fix the Stagefright problem, but last week Joshua Drake, an Android expert with Zimperium Mobile Security, said a new version of the bug — nicknamed “Stagefright 2” — now exists, attacking phones not via text, but by trying to lure users to download it through an infected Web browser or smartphone app.
“As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area,” he wrote in a blog post.