Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Holes Allow Secret Installation of Apps

Posted by timothy on from the be-glad-he's-on-your-side dept.

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

8 of 132 comments (clear)

  1. Adobe @#^@#$ us over again by Anonymous Coward · · Score: 2, Insightful

    A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

  2. What of old versions by giorgist · · Score: 5, Insightful

    See now that Android is becoming a big target = installed base
    Old phones are rarely updated.
    New phones and evices are still coming out with 1.6
    Old 1.6 phones are still alive

    All vulnerabilities will persist.

    So an auto logging in banking app is there for the taking

    1. Re:What of old versions by Rich0 · · Score: 4, Insightful

      Well, it remains to be seen if they backport fixes to 1.6, but I agree completely that this is a potential weakness of the platform. Vendors are WAY too quick to abandon old phones. If it isn't still in stores, they don't care about it.

      In fact, probably the best way for us poor G1 owners to get some official updates for our phones is to start releasing viruses designed to take down the cell network. THAT would get some updates out quick! :) (Disclaimer - I'm not advocating that anybody actually do this of course!)

  3. The Downside of Smart Phones by Anonymous Coward · · Score: 2, Insightful

    There are a lot of upsides to phones that can install aps, browse the web, and so on and so forth. This article is an example of one of the downsides, though. With computer-type capabilities, you get computer type problems. The old wired phones, and probably even most "dumb" cell phones pretty much were only vulnerable to people who had physical access to them altering their behavior. Now phones can theoretically get viruses and dial out on their own and so on and so forth.

    I'm not advocating that people discontinue buying smart phones, but it's always good to pause for a second and think about the things we give up to move forward, as it were.

  4. Re:Time to move to a repository system? by Rich0 · · Score: 2, Insightful

    I still think a better solution is to make it impossible to write malicious software in the first place.

    Apps should not generally open arbitrary network sockets. Apps should generally not be able to use gobs of bandwidth. Apps should generally not be able to call 911/etc.

    Maybe an in-between solution is for Google to vet apps that request more sensitive permissions. So, if your app just displays on-screen, makes connections back to the distributor's website with modest bandwidth use, and maybe plays some music, then no pre-approval is required. If your phone accesses the phone book, the dialer, or sends arbitrary network traffic, then it requires pre-approval. That will of course make app authors think twice about whether those things are necessary.

    Perhaps another step is to make it so that by default the app asks for the more sensitive permissions but the user has to confirm them individually and if they just hit the OK button the software gets installed with safer permissions. This would of course require software authors to design their apps so that they work fine with or without GPS location, or phonebook access, or the dialer, or without services, etc.

  5. General purose computing device by bm_luethke · · Score: 2, Insightful

    Until smart phone manufacturers realize that they are making general purpose computing devices we will see this. To some there is a "war" going on between Apple and Android but that really misses the issue - in this respect trying to figure out which is the "better" on is like trying to figure out if Frosted Flakes or Fruit Loops is the better breakfast cereal - it is personal preference and there are most likely "better" solutions out there (and as a disclaimer I am an Android user - Droid One).

    Until one side truly figures this out I'll stick with Android if for nothing else than I can get the functionality I want. With Apple I have to buy into their idea on how their devices fit into my life and I, well, do not. If Apple truly had this superior model than I would go for it, but as far as I can see I get the worst of both worlds - lack of specialized apps (as those are often, for unknown reasons, rejected from their app store and there are one or two I would like) along with just as many vulnerabilities (and those usually require you store that info on the phone - which until/unless they secure them I do not). So I currently see Apple as having those issues yet none of the "rewards" of going with them.

    There are a handfull of people I know I would still recommend the iPhone too, but unless they already know the iPhone platform over the Android and are still asking others about it that is rare. Sadly it isn't because Android is truly better, but because if all else is equal then the flexibility of the Android system is superior and pretty much everything else is equal. Apple has remained where they are for a *long* time because they haven't figured this out too - though I also have to say they have not died because they ignore it too (their model of revenue find this irrelevant, which means they will not "win" but really can not "loose").

    --
    ------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
    1. Re:General purose computing device by khchung · · Score: 4, Insightful

      Until smart phone manufacturers realize that they are making general purpose computing devices we will see this.

      I say just the opposite. Until the Android crowd realize that a lot of people do not want a general purpose computing devices on their phone, they will be talking past all iPhone users.

      I work with computers for a living, I know very well the high cost of ownership for owning a general purpose computing devices. I do not want that for my phone. I deliberately stayed away from "smartphones" until Apple got smart enough and produce one that obviously is not intended to be a PC on a phone.

      All your reasons for calling Android "superior" is exactly the reasons that I found it inferior. I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low. This seems to a point that the Android crowds never understand.

      Maybe you find it intellectually simulating to find which security hole is patched in which Android version, and fun to track down exactly which Android version can be hacked to be installed on your phone (since your phone supplier probably won't give you a fix until a year later).

      For me, I just want iTunes to periodically check if my phone has the latest patch and tell me about any updates, so I can install it by clicking "Yes".

      --
      Oliver.
    2. Re:General purose computing device by bigstrat2003 · · Score: 4, Insightful

      Your logic fails. First, the main aspect of the iPhone that you could claim is an advantage over Android, the harsh policing of the app store, is irrelevant for security. Google can, and has, taken down apps that were insecure. The Android Market can be just as monitored as the iOS app store is. The real advantage is not anything to do with the market, it is the fact that you can install apps that are not from there. I'm sure you'll say "but I don't need that", but that's not true. You don't need it yet. I'm sure you'll feel differently if you ever have the bad luck to start to heavily use an app that Steve Jobs decides offends him in some way, and subsequently gets removed from the app store.

      Second, if your reason for having an iPhone includes "I can just wait for iTunes to tell me when there's a new version", that's ridiculous. You can be ignorant of security flaws on Android, as well. Trust me, there's no one that makes you go read up on them on /. (although apparently you would do so anyway, since you read this article). You can just wait for the phone to tell you that there's a new update for the OS available, and install it. Just like the iPhone! Of course, just like the iPhone, if there's a security bug you won't know about it and can be exploited, but if that's really what you want you can get it.

      --
      "16MB (fuck off, MiB fascists)" - The Mighty Buzzard