October 27, 2016 by

Chinese Hacking Crew Exploits iPhones and Google Nexus Devices, Awarded $200,000

Apple’s iPhone and Google’s Nexus 6P, which run iOS and Android – two most widely-used mobile phone platforms in the world have been hacked this week as a part of the Pwn2Own white hat hackers contest.

Organized and run by security firm Trend Micro’s Zero Day Initiative (ZDI) in Japan, the iPhone 6S and the Nexus 6P were hacked by a prominent Chinese hacking crew called Keen Lab, reports chttps://h2.vc/reports/fintechinnovators/2016.

Tencent-owned Keen Lab was able to steal pictures from an Apple iPhone 6S by exploiting two iOS vulnerabilities. For this hack, the hacking outfit were awarded $52,500. Keel Lab also installed a rogue application on the iPhone 6S. While the app did not trigger any malicious deeds following a  reboot – due to a default security configuration setting engineered by Apple – ZDI still bought the bugs used in the exploit for a further $60,000.

Meanwhile, the Nexus 6P, the flagship product of the Android platform until Google’s recently launched Pixel phones, was also exploited successfully. Keen Lab was able to install a malicious app on the device, combining two different bugs along with other unspecified vulnerabilities in Android. The attack was carried out not once, but three times, netting Keen Lab as astonishing sum of $102,500.

Talking about Keen’s findings and exploits, ZDI chief executive Brian Gorenc stated:

These are critical in nature as they allow an attacker to disclose sensitive information or install a malicious application. We’ve seen similar exploits recently used in the wild.

The vulnerabilities were quickly handed over to the relevant companies, Apple and Google. Gorenc added that while work on patches are already underway, it might take months before those patches are released.

Furthermore, Gorenc also revealed an interesting takeaway about the mechanism in which exploits that target the most popular phones in the world, succeed.

All of the exploits were triggered by browsing to a malicious website. From that perspective, it’s relatively simple to trick a user into this scenario. Crafting the exploit itself isn’t trivial and requires months of research and experimentation.

 Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Second Largest Android Malware Outbreak Infects 21 Million Victims

Security researchers claim to have discovered the second largest outbreak to hit Google’s Android...

Read more arrow_forward

Dangerous Android Banking Trojan, SVPENG, modified with a Keylogger

In mid-July this year, it was discovered that a well-known banking malware,...

Read more arrow_forward

Android Ransomware App Threatens Spread of Pictures & Messages

Security researchers have uncovered a new form of ransomware that does not encrypt files to extort...

Read more arrow_forward