Friday, 14 February 2014

QR code drive-by one step closer?

A vulnerability in the majority of Android devices allows an attacker to take remote control of a victim's phone or tablet.

According to a blog post by Rapid7's Tod Beardsley, researchers have demonstrated a combination of a QR code and malicious Javascript that can provide an attacker with a remote shell to the target.

Just to get some facts clear, the attack is not QR code-based. We're not talking about exploiting a QR code scanner to launch an attack. The user still has to choose a browser and proceed to a website that contains the malicious Javascript.

However, it makes sense to initiate the attack with a QR code because that's one way mobile device users visit websites. QR codes are also very visual and so help make demonstration videos more dramatic.

The really important point to take away from this attack is that users do not have to allow any new (malicious) application to run. This is not a social engineering attack in which the user is tricked into installing a malicious application.

They simply need to visit a website (QR code-initiated or not) and the attacker is able to run commands on their device.

It is possible that there are earlier demonstrations of Android-based automatic (aka 'drive-by') attacks, but I've not seen any until now.