Feeds

Android bugs let attackers install malware without warning

No permissions necessary

Remote control for virtualized desktops

Researchers have disclosed bugs in Google's Android mobile operating system that allow attackers to surreptitiously install malware on users' handsets.

The most serious of the two flaws was poignantly demonstrated on Wednesday in a proof-of-concept app that was available in the Google-sanctioned Market. Disguised as an expansion for the popular game Angry Birds, it silently installs three additional apps that without warning have access to a phone's contacts, location information and SMS functionality and can transmit their data to a remote server.

It took Google about six hours to pull the bogus app, said Scio Security CTO Jon Oberheide, one of the two researchers to discover and exploit the vulnerability. What will be harder to lock down are the special security tokens the web giant uses to authenticate Android users so they don't have to expose their passwords to third-party services. The proof-of-concept works by exploiting weaknesses in that Android token system.

“It abuses that token to perform the same actions the legitimate Market app would perform, but without asking for permission,” Oberheide told The Register. “Through some of the research, we realized we could use this one specific token for the Android service to bypass the restrictions on the permission system.”

Zach Lanier, a senior consultant at Intrepidus Group, also worked to discover the bypass bug. He and Oberheide plan to provide more details at an internal security conference scheduled for Thursday at Intel's Oregon campus.

"We've begun rolling out a fix for this issue, which will apply to all Android devices," a Google spokesman said. "As always, we advise users to only install applications they trust."

Oberheide said that his disclosure came the same day that a researcher with Basingstoke, UK-based MWR InfoSecurity demonstrated a separate bug in the Android browser that lets attackers install malware on a fully patched HTC Legend running Android 2.1. Although the most recent Android version is 2.2, figures supplied by Google show that 64 percent of users have yet to be upgraded to it.

Nils, who doesn't disclose his surname to journalists, didn't respond to emails seeking comment. He is scheduled to present his findings on Thursday at the Blackhat security conference in Abu Dhabi.

Oberheide is same researcher who in June forced Google to wield Android's then-secret remote kill switch when he released a pair of applications to demonstrate how easy it is to use Market to bootstrap a rootkit onto Android phones.

The two most recent attacks “operate entirely in userspace and leverage weaknesses present in the Android platform ad common HTC handsets to achieve their goals,” Oberheide said. They came the same week that attack code exploiting a browser vulnerability in older Android phones was released. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.