Android Nexus One can fool PCs with malware keyboard

Insecurity experts at George Mason University have managed to use a Android-based Nexus One to fool a laptop.

Apparently with a natty bit of coding the laptop would swear in a police line up that the Nexus One was its keyboard – and would let it issue commands to the computer to steal files and download malware.

Angelos Stavrou, an assistant professor of computer science at George Mason University, and student Zhaohui Wang wrote software which can change the  USB driver so that they could launch a surreptitious attack while someone is charging a smartphone or syncing data between a smartphone and a computer.

Talking to Cnet, Stavrou said that the exploit identifies what operating system is running on the device the USB cable is connected to.

On Macintosh and Windows machines, a message pops up saying the system has detected a new human interface device, but you cant stop it.

If it detects that it is a Mac, the malware can remove the popup with a command sent via the smartphone so the laptop owner may not even see it, The Windows pop-up lasts only one or two seconds in the lower left corner. Linux users would not even know what hit them and they receive no warnings at all.

This is all possible because the USB protocol allows for a connection without authentication. Currently operating systems do no prompt the user whether he or she wishes to really connect the peripheral to USB – they just do it without being asked.

Once the phone is connected the malware can be transferred and it is goodnight Vienna for any information that might be in the laptop.

It is like many things in this world. You have to be darn careful what you allow to be plugged into your gadgets.

If you leave your computer running near any strange looking bloke in a trench coat who seems to be carrying a smartphone you could be in trouble.