China spying malware invades smartphones

Just as US companies are coming to grips with threats to their computer networks emanating from cyber spies based in China, a noted expert is highlighting what he says is an even more pernicious vulnerability in smartphones. Dmitri Alperovitch, the former McAfee Inc cyber security researcher best known for identifying a widespread China-based cyber espionage operation dubbed Shady Rat, has used a previously unknown hole in smartphone browsers to plant China-based malware that can commandeer the device, record its calls, pinpoint its location and access user texts and emails. He conducted the experiment on a phone running Google's Android operating system, although he says Apple's iPhones are equally vulnerable. "It's a much more powerful attack vector than just getting into someone's computer," said Alperovitch, who just formed a new security company called CrowdStrike with former McAfee Chief Technology Officer George Kutz. Alperovitch, who has consulted with the US intelligence community, is scheduled to demonstrate his findings on Wednesday at the RSA conference in San Francisco, an annual cyber security gathering. The Shady Rat attack he disclosed last year targeted 72 government and corporate entities for as long as five years, siphoning off unknown volumes of confidential material to a server in China. The malware was disguised as a Google+ app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users were hit. Alperovitch and his team reversed engineered the malware, he said, and took control of it. He then conducted an experiment in which malware was delivered through a classic "spear phishing" attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies. Earlier this month, the top US intelligence official, James Clapper, accused China and Russia of engaging in "wholesale plunder of our intellectual property" through cyber attacks. Both countries deny a state-sponsored policy of cyber espionage.