ibtimes published yesterday an article about InterApp system, developed by Rayzone Group. According to vendor’s brochure, the device can be places in a public place. It uses vulnerabilities in mobile apps to gain complete access to your phone and steal all information from the phone and the cloud:
“InterApp is fully transparent to the target and does not require any cooperation from the phone owner. The only required condition is that the WIFI transmitter of the mobile device will be open (No need to surf the web)”.
And they claim Dropbox support as well :)
The zero-day market for mobile apps is huge now, but I personally do not think this is the way they do it. Most likely vendor uses zero-day vulnerability in mobile OS (e.g. Android, iOS) or they already have preinstalled backdoor. This accusation is huge, because this means, that no matter you do, your phone can be accessed at any time anywhere. And usual app would not be able to send any data through Wi-Fi channels without an actual Wi-Fi connection with AP. At least it should not :)
Challenge of the year: let’s search for that zero-day! :)