The Register® — Biting the hand that feeds IT

Feeds

Android bugs let attackers install malware without warning

No permissions necessary

By Dan Goodin, 10th November 2010
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

Researchers have disclosed bugs in Google's Android mobile operating system that allow attackers to surreptitiously install malware on users' handsets.

The most serious of the two flaws was poignantly demonstrated on Wednesday in a proof-of-concept app that was available in the Google-sanctioned Market. Disguised as an expansion for the popular game Angry Birds, it silently installs three additional apps that without warning have access to a phone's contacts, location information and SMS functionality and can transmit their data to a remote server.

It took Google about six hours to pull the bogus app, said Scio Security CTO Jon Oberheide, one of the two researchers to discover and exploit the vulnerability. What will be harder to lock down are the special security tokens the web giant uses to authenticate Android users so they don't have to expose their passwords to third-party services. The proof-of-concept works by exploiting weaknesses in that Android token system.

“It abuses that token to perform the same actions the legitimate Market app would perform, but without asking for permission,” Oberheide told The Register. “Through some of the research, we realized we could use this one specific token for the Android service to bypass the restrictions on the permission system.”

Zach Lanier, a senior consultant at Intrepidus Group, also worked to discover the bypass bug. He and Oberheide plan to provide more details at an internal security conference scheduled for Thursday at Intel's Oregon campus.

"We've begun rolling out a fix for this issue, which will apply to all Android devices," a Google spokesman said. "As always, we advise users to only install applications they trust."

Oberheide said that his disclosure came the same day that a researcher with Basingstoke, UK-based MWR InfoSecurity demonstrated a separate bug in the Android browser that lets attackers install malware on a fully patched HTC Legend running Android 2.1. Although the most recent Android version is 2.2, figures supplied by Google show that 64 percent of users have yet to be upgraded to it.

Nils, who doesn't disclose his surname to journalists, didn't respond to emails seeking comment. He is scheduled to present his findings on Thursday at the Blackhat security conference in Abu Dhabi.

Oberheide is same researcher who in June forced Google to wield Android's then-secret remote kill switch when he released a pair of applications to demonstrate how easy it is to use Market to bootstrap a rootkit onto Android phones.

The two most recent attacks “operate entirely in userspace and leverage weaknesses present in the Android platform ad common HTC handsets to achieve their goals,” Oberheide said. They came the same week that attack code exploiting a browser vulnerability in older Android phones was released. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (62)
Highly Rated
Anonymous Coward
Reply Icon

Re: This a very serious vulnerability

" I won't be caught dead with an Android phone, there are lots of alternatives, iOS, WinMo, MeeGo, Symbian, BlackBerry OS, QNX..."

... and of course none of them have any bugs. I think you'll find security is one area where it's best not to be too smug about someone else's misfortune.

And the fact the source code was publicly available for inspection means this bug has been found, and can be fixed. That's a good thing, in case you were wondering.

8
1
Loyal Commenter
Reply Icon

Meanwhile, in the real world...

http://www.theregister.co.uk/2010/11/10/iphone_forced_calls/

And that was yesterday.

7
1
Anonymous Coward

Serious Future?

I wonder if Android has a serious future?, Google seems update Android every 4 months and honestly believe every Android handset out there is upgraded to the latest and greatest version of the OS. In reality, Android handsets are released and rarely upgraded, usually only getting 1 version bump before being classes as old. Mobile phone contracts are normally 18 to 24 months and so users are left exposed to all sorts of issues whilst they wait for their contract to renew/expire.

With Android appearing on cheap tablet computers (like Next's one) it's only a matter of time before people (normal non-techical people) are going associate Android with low quality and no support. Google need to get a grip on their OS before Android is considered a poor persons Ipad/Iphone/Windows phone.

5
1

More from The Register

breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19
Critical Java SE update due Tuesday fixes 40 flaws
And yes, most are remotely exploitable
33
Kaspersky slips server security into PC software as attackers get crafty
Want to bag a CEO? Aim for his family
8
NSA accused of new crimes ... against slideware
They may take our information but they cannot take our REFINED AESTHETICS
40