This is what a single unintentional click to a bad web link can do. As George Kurtz and his colleagues from security startup Crowdstrike showed to a small group of audience at the RSA security conference, a single-click to a bad web link via an Android-based mobile phone could get it hacked. Once hackers take control of the phone, they can track phone calls, intercept text messages, and track the phone’s location, Kurtz revealed to the audience.

What George Kurtz and colleagues did was that they played the scenario on-stage in front of the conference audience. Kurtz, playing the role of a busy investor, received a text message on his that claimed to be from his mobile carrier. Once he clicked on the link, his mobile crashed and rebooted on his own. Once the phone restarted, it seemed to be unchanged, however during this process, a silent malicious app got installed in it which could do all the mischiefs, so to speak, with the phone.A

The phone used to demonstrate all this had Android 2.2 OS installed. The attack made use of bugs present in the components of Android’s browser which also comes bundled with Android 2.3 OS. Incidentally, WebKit the browser component that was exploited also forms the core of iPhone and iPad web browsers.

Targets of such magnitude have happened in the past, yet this is the first end-to-end demonstration of its kind, which George Kurtz and colleagues performed live.