Feeds

Android bug lets attackers install malware without warning

Google patch cycle puts users at risk

Protecting against web application threats using SSL

It's been more than a month since researchers reported two serious security vulnerabilities in Android, but so far there's no indication when they will be purged from the Google-spawned operating system that's the world's most popular smartphone platform.

The first flaw allows apps to be installed without prompting users for permission. The permission-escalation vulnerability permits attackers to surreptitiously install malware in much the way a proof-of-concept exploit researcher Jon Oberheide published last year did. In that case, an app he planted in the Android Market and disguised as an expansion pack for the Angry Birds game secretly installed three additional apps that without warning monitored a phone's contacts, location information and text messages so data could transmitted to a remote server.

“The Android Market ecosystem continues to be a ripe area for bugs,” Oberheide wrote in an email. “There are some complex interactions between the device and Google's Market servers which has only been made more complex and dangerous by the Android Web Market.”

The second bug resides in the Linux kernel where Android originates and makes it possible for installed apps with limited privileges to gain full control over the device. The vulnerability is contained in code device manufacturer have put into some of Android's most popular handsets, including the Nexus S. The bug undermines the security model Google developers created to contain the damage any one application can do to the overall phone.

Oberheide and fellow researcher Zach Lanier plan to speak more about the vulnerabilities at a two-day training course at the SOURCE conference in Barcelona in November. In the meantime, they put together a brief video showing their exploits in action.

A Google spokesman declined to comment for this post.

One of the hopes for Android a few years back was that it would be a viable alternative to Apple's iOS, both in terms of features and security. With the passage of time, the error of that view is becoming harder to ignore. By our count, Google developers have updated Android just 16 times since the OS debuted in September 2008. The number of iOS updates over the same period is 29.

It's a far cry from the approach Google takes with its Chrome browser, which is updated frequently, and has been known to release fixes for the Flash Player before they're even released by Adobe.

Even more telling, when a new version of iOS is released, it's available almost immediately to any iPhone user with the hardware to support the upgrade. Android users, by contrast, often wait years for their phone carriers to supply updates that fix code execution vulnerabilities and other serious flaws.

Owners of the Motorola Droid, for instance, are stuck running Android 2.2.2 even though that version was released in May 2010 and contains a variety of known bugs that allow attackers to steal confidential data and remotely execute code on handsets the run the outdated version.

Oberheide has more here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.