Alperovitch, perhaps best known for uncovering the Chinese-based Shady Rat operation, conducted the exploit on an Android phone, although he said that iPhones are vulnerable as well, according to a story by the Los Angeles Times.
The researcher and his team at CrowdStrike reversed engineered Nickispy malware, he said, and took control of the Android phone. He then conducted an experiment in which malware was delivered through a "spear phishing" attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link.
"The minute you go the site, it will download a real-life Chinese remote access tool to your phone. The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing", Alperovitch told the newspaper. He said that there is no security software that can thwart the malware.
Alperovitch is scheduled to demonstrate his findings Feb. 29 at the RSA conference in San Francisco, the newspaper noted.