Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Holes Allow Secret Installation of Apps

Posted by timothy on from the be-glad-he's-on-your-side dept.

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

10 of 132 comments (clear)

  1. Makes popcorn by Anonymous Coward · · Score: 5, Funny

    And sits down to watch the fanboy battle begin. Go go go

    1. Re:Makes popcorn by MobileTatsu-NJG · · Score: 2, Funny

      I dare the posters on this site to go this entire thread without mentioning Apple.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    2. Re:Makes popcorn by Anonymous Coward · · Score: 1, Funny

      Oh damn! Already foiled.

    3. Re:Makes popcorn by TheRaven64 · · Score: 4, Funny

      Isn't this very similar to a problem my iPhone had just a few months ago?

      Nope, it's entirely different. This is a security hole, while the iPhone had a jailbreak opportunity.

      --
      I am TheRaven on Soylent News
  2. Android is open... by Schuthrax · · Score: 3, Funny

    So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

  3. Yes, and people really should read the source by Brannon · · Score: 2, Funny

    before they install their apps.

  4. Microsoft's fault by Anonymous Coward · · Score: 1, Funny

    I've been suspicious for a long time that Google is having Microsoft write all their software. This proves it.

  5. Re:Telco backdoors by gmhowell · · Score: 5, Funny

    If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

    I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

    No kidding? Well, my best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  6. Re:Telco backdoors by fostware · · Score: 2, Funny

    Abe Froman can afford to give you mod points.

    --
    "We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
  7. Re:I can't find that app in the App Store by FatdogHaiku · · Score: 3, Funny

    Man I found it but Fake Location Tracker doesnt seem to work :(

    You must first be in a fake location...duh!

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office