Skip to content ↓ | Skip to navigation ↓

A new type of Man-in-the-Middle (MITM) attack is currently being exploited by cybercriminals against Android and iPhone users around the world.

Security researchers at Zimperium Mobile Security have disclosed their findings of the technique, known as DoubleDirect, which is capable of redirecting a victim’s smartphone traffic to the attacker’s device.

“Once redirected, the attacker can steal credentials and deliver malicious payloads to the victim’s mobile device that can not only quickly infect the device, but also spread throughout a corporate network,” said Zimperium in a blog post.

According to the company’s research, traffic from various popular websites, including Google, Facebook, Twitter, Hotmail and, had been redirected during the attacks on victim’s devices in an effort to collect valuable personal data, such as email IDs, credentials and banking information.

However, researchers note that cybercriminals may not have had visibility to encrypted traffic enabled by certain services.

The company stated most Android devices tested appeared to be at risk, including Nexus 5 and Lollipop, as well as iOS users. The attack was successful on Apple’s latest version (8.1.1), with the possibility of also impacting Mac OS X Yosemite users. Windows and Linux are not affected,  as the operating systems do not accept ICMP redirect packets.

The attacks have been tracked to more than 30 countries around the globe, including the US, Canada, the UK, Germany, Spain, China, India, Australia, and Mexico, among many others.

The company detailed how DoubleDirect is capable of snooping into a victim’s smartphone:

DoubleDirect uses ICMP Redirect packets to modify routing tables of a host. This is legitimately used by routers to notify the hosts on the network that a better route is available for a particular destination. However, an attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP.

As a result, the attacker can launch a MITM attack, redirecting the victim’s traffic to his device. Once redirected, the attacker can compromise the mobile device by chaining the attack with additional Client Side vulnerability (e.g: browser vulnerability), and in turn, provide an attacker with access to the corporate network.

The consequences of this attack can be serious but as Tripwire Security Researcher Craig Young explains, the attacker must already have some level of access to the same network that the victim is connected through, making users connecting to public or open wireless networks a prime target.

“Attackers will always find a way to force victim traffic through an attacker-controlled resource, which is why EFF and other privacy advocates have been pushing very hard for protecting as much communication as possible with SSL,” said Young.

“Even if an attacker has the ability to intercept a victim’s traffic, there is little they can do if the targeted system uses properly implemented cryptography.”

However, Young points out a variety of research has demonstrated an abundance of systems still fail in using SSL in a secure manner. As a member of Tripwire’s Vulnerability and Exposure Research Team (VERT), Young exemplifies some of these findings in a blog post showing how to configure an SSL MITM test lab for Android devices.