Hacking America

The anatomy of an Android smartphone cyberattack

Your new Android phone could be hacked
Your new Android phone could be hacked

You might think buying a new phone from your mobile service provider means the latest model comes with updated software, guarding against potential cyberattacks. Well, you'd be wrong.

Android phones are the most popular smartphones in the world, with more than 78 percent market share, according IDC's Worldwide Quarterly Mobile Phone Tracker.

The number of Android smartphone users worldwide is estimated to have reached 1.16 billion in 2013, according to Ramon Llamas, IDC's mobile phone research manager.

Tod Beardsley, so-called ethical hacker and engineering manager for Rapid 7, a cybersecurity firm, estimates about 70 percent of Android phones in use today still contain a bug uncovered by security researchers more than two years ago, making them vulnerable to cyberattacks. The bug was publicly disclosed about 16 months ago, but outdated versions of the software still exist on some smartphones, Beardsley said.

An ethical hacker is sometimes referred to as a "white hat" hacker who investigates software and hardware vulnerabilities with the main goal of fixing those flaws to prevent future cyberattacks. "Black hat" hackers in contrast are the bad guys, and intentionally exploit vulnerabilities for financial or other personal gain.

The vulnerability affects Android operating software versions between 4.0 and 4.2, said Joshua Drake, lead author of the "Android Hacker's Handbook."

Although Google implemented a fix, there's still a lag in consumers receiving updates for mobile devices, Beardsley says. Google declined emailed requests for comment on the vulnerability.

Security researchers told CNBC this is a common problem with Android OS because of the open-source nature of the Android platform. Tracking updates and quality control are a challenge.

"Different manufacturers have the freedom to have their own version and flavor of the Android OS they use, therefore there is no enforcement or centralized control around patch management for releasing new updates," said Nima Dezhkam, principal consultant for Security Compass, an information security firm.

Read MoreWhat hackers do for fun

Beardsley recently demonstrated the attack on a new, out-of-the-box HTC smartphone, using AT&T service, for CNBC. Beardsley said his goal, by demonstrating the attack, is to put more pressure on manufacturers and mobile phone service providers to provide consumers with an upgrade of the latest patched software.

Playing the role of both the attacker with a laptop computer and the role of victim with the HTC smartphone for our cameras, Beardsley showed how this vulnerability can be exploited. He first sets up a fake "evil" website to lure victims.

Baiting victims through email, social media or by displaying a Quick Response (QR) code that looks like a barcode, an attacker can lure the victim to the suspicious website. A simple click on a link by the user, and Beardsley can seize control, exploiting the Android WebView vulnerability.

Beardsley demonstrated by scanning the QR code. An alert immediately sounded on the laptop, and a message appeared that said, "Command shell session 8 opened…," allowing him to type commands that the victim's phone will now obey.

Beardsley proceeds to access photos on the phone's gallery and that's not all. He can also plant photos that may be compromising to the victim.

Smartphone maker HTC did not respond to email requests seeking comment on the Android WebView vulnerability.

Read More Cell phone thefts soar as advocates hail 'kill switch'

Capturing the hacking flag
Capturing the hacking flag

Though the Android WebView vulnerability doesn't allow complete access to every piece of data on the phone, Beardsley says this type of attack can still be significant.

"Every one of the pictures on your phone has geo-location data on it and so, if I'm an attacker or if I'm the government and I can snag all your pictures off your phone, I can build a nice map of where you tend to be, where you live, where you work, where you go," said Beardsley.

Beardsley and other security researchers say part of the problem with consumers not having the latest, patched software is a fragmented Android ecosystem.

Unlike Apple, consumers can buy Android products and services from multiple vendors. Therefore, software and platform updates can be difficult to track and manage. "It's not like iPhone where Apple is the one source of truth all the way down. You have lots of organizations involved," Beardsley said.

Android's distribution network also is more complex. "Google has done a lot to address the distribution of updates by removing device manufacturers' and carriers' play into the distribution of updates," said Grayson Milbourne, director of security intelligence for Webroot. "However, there are hundreds of millions of older devices still being used that have no path to update," he said.

Source: CNBC video

With many mobile consumers still wrestling with outdated and potentially unsafe software and related technology, the issue has caught the attention of mobile consumer advocates.

In April 2013, the American Civil Liberties Union filed a complaint with the Federal Trade Commission on behalf of consumers regarding the lag in software updates. The ACLU told CNBC they have not received an update from the FTC on the status of their complaint. The FTC, for its part, confirmed to CNBC the receipt of the ACLU's complaint, but declined to comment on whether an investigation has been launched. CNBC also reached out to the mobile service providers named in the ACLU complaint. AT&T declined comment on the issue. T-Mobile and Sprint did not immediately respond to request for comment on the complaint.

"Verizon is shipping phones with Android 4.4 and has been for some time, along with providing regular software updates for customers to download on their devices," a Verizon spokeswoman said.

In addition to upgrading the operating system, Beardsley said another way to protect your phone against the Android WebView vulnerability is to avoid using the default Internet browser that comes installed on your phone. Beardsley recommends using Google Chrome instead because it does not have the Android WebView vulnerability.

Read MoreDitching Apple for Android? What you need to know

By CNBC's Sabrina Korber.

For more CNBC coverage of cybersecurity, visit HackingAmerica.cnbc.com.