Offensive mobile security researcher “thewhiteh4t” has demonstrated how easy it is to reveal your exact smartphone location without installing malware.
The researcher openly released Seeker, a concept tool that allows attackers to precisely pinpoint a smartphone’s location without the user installing any malicious app.
The tool relies on social engineering techniques and still requires some user interaction – to visit a website and grant permissions.
Mobile Hacker warns that clicking on a simple link can reveal a precise smartphone’s location. You can find the GitHub project here.
The concept is as simple as any phishing site – it mimics a popular service, tricking users into making just two clicks.
One of the phishing page templates appears as a Google document requiring the user to request access permission.
If the user visits the phishing site, clicks on “Request access,” and subsequently taps “allow” on a pop-up asking to use their location, the site will beam it directly to the attacker-controlled server.
Other templates mimic NearYou, WhatsApp, Telegram, Zoom, and Google reCAPTCHA, and users can create their own templates.
In a video, the white hat demonstrated that an attacker with precise location (longitude, latitude, accuracy in meters, altitude) also obtains device information, such as OS, platform, browser, GPU vendor, and other data. If the victim is moving, the tool will additionally provide direction and speed metrics.
“This tool is a Proof of Concept and is for Educational Purposes Only. Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location, etc.,”
the expert explains.
Thewhiteh4t warns that hackers can get device information, including unique ID, using canvas fingerprinting, without any permissions.
“This tool is a Proof of Concept and is for Educational Purposes Only. Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location, etc.,” the expert explains.
The versatility of the tool allows it to track any device using HTML. When the tool gets “Location Permission,” it grabs data from GPS hardware, and, if it is not present, falls back to IP geolocation or cached coordinates.
The tool can be run on any device with a Linux terminal. It runs a local PHP web server and utilizes tunneling services like ngrok to expose the server online.
Mobile Hackers warns users to be wary of unknown links, regularly review browser permissions, and disable unused or untrusted ones. Just clicking on the malicious link reveals an attacker your IP address, operating system, browser, and device details.
Your email address will not be published. Required fields are markedmarked