Security researchers from UK-based MWR Labs have managed to successfully gain access to an Android phone by sending an exploit to the device using Near Field Communications (NFC).
The hack was demonstrated at the Mobile Pwn2Own competition at EUSecWest in Amsterdam. The competition was organised by security firm TippingPoint.
Two vulnerabilities were used to gain access to and retrieve data from a Samsung Galaxy S3. The phone was running Android 4.0.4.
The first flaw was a memory corruption exploit that allowed the team to upload malware to the Samsung phone over NFC.
MWR Labs said that this exploit is not NFC specific, and could be carried out via malicious websites or email attachments.
The second flaw let them weaken Android's app sandbox and raise privileges of the executed code.
The researchers used this to upload a custom version of the firm's Mercury application, which it described as a "free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android."
The team said in a statement: "We could then use Mercury's capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number."
The team said Android 4.0.4 has many of the exploit mitigation features that are common to desktop Linux distributions, including Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP), but there were shortcomings as well.
These defects allowed them to use the control they had of the device to trigger a second vulnerability.
"Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android's linker) and /system/bin/app_process, which is responsible for starting applications on the device," said the team.
Other protections that would make exploitation harder were also found to be absent, according to the team. MWR Labs would not go into detail about the hacks until patches were available.
The MWR team won $30,000 for their hack.
In the same contest, Dutch security researchers hacked an iPhone 4S using a malicious web page that could send the phone's pictures, address books and browser history to a hacker's server by exploiting a vulnerability in Safari's WebKit engine.
-
Manufacturers report millions in losses as downtime wreaks havoc on operationsNews UK manufacturers are losing up to £736 million every week due to downtime, according to new research, with outages lasting for several days on end.
-
Microsoft gives OpenAI restructuring plans the green lightNews The deal removes fundraising constraints and modifies Microsoft's rights to use OpenAI models and products
-
This new Android attack could let hackers swipe 2FA codes and snoop on private messages – ‘Pixnapping’ affects Samsung and Google smartphones, but experts warn more could be at riskNews Pixnapping allows attackers to steal two-factor authentication (2FA) codes, private messages, and even financial information.
-
100 million Samsung Galaxy devices vulnerable to cryptographic key hackNews Widespread flaws in hardware-backed key management could enable hackers to bypass FIDO2 authentication
-
Researcher awarded $50,000 for discovering Samsung Galaxy S21 hackNews UK researcher Sam Thomas won the Pwn2Own bounty using a "unique three-bug chain"
-
Samsung to support enterprise devices with five years of Android updatesNews Samsung Galaxy S20, S21 and Note 20 series phones are among the devices set to benefit from extended support
-
Samsung Galaxy S10’s ultrasonic sensor fooled by fake fingerNews Samsung’s in-display fingerprint reader can be hacked ‘in 15 minutes’
-
Samsung laptops open to hackers after Windows Update disabledNews Security researchers warn of serious risks as Samsung overrides key security feature
-
Samsung to roll out security patch for keyboard vulnerabilityNews Bug exposing Galaxy smartphones to hackers will be squashed within coming days
-
Samsung denies Smart TV could eavesdrop on users' conversationsNews South Korean firm plays down reports of digital snooping, after privacy policy prompts alarm bells
