Security researchers from UK-based MWR Labs have managed to successfully gain access to an Android phone by sending an exploit to the device using Near Field Communications (NFC).
The hack was demonstrated at the Mobile Pwn2Own competition at EUSecWest in Amsterdam. The competition was organised by security firm TippingPoint.
Two vulnerabilities were used to gain access to and retrieve data from a Samsung Galaxy S3. The phone was running Android 4.0.4.
The first flaw was a memory corruption exploit that allowed the team to upload malware to the Samsung phone over NFC.
MWR Labs said that this exploit is not NFC specific, and could be carried out via malicious websites or email attachments.
The second flaw let them weaken Android's app sandbox and raise privileges of the executed code.
The researchers used this to upload a custom version of the firm's Mercury application, which it described as a "free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android."
The team said in a statement: "We could then use Mercury's capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number."
The team said Android 4.0.4 has many of the exploit mitigation features that are common to desktop Linux distributions, including Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP), but there were shortcomings as well.
These defects allowed them to use the control they had of the device to trigger a second vulnerability.
"Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android's linker) and /system/bin/app_process, which is responsible for starting applications on the device," said the team.
Other protections that would make exploitation harder were also found to be absent, according to the team. MWR Labs would not go into detail about the hacks until patches were available.
The MWR team won $30,000 for their hack.
In the same contest, Dutch security researchers hacked an iPhone 4S using a malicious web page that could send the phone's pictures, address books and browser history to a hacker's server by exploiting a vulnerability in Safari's WebKit engine.
