Android Holes Allow Secret Installation of Apps

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

Time to move to a repository system?

[mlts]

As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.

This has worked for OSS projects for over a decade. It should work quite well for Android.