Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Holes Allow Secret Installation of Apps

Posted by timothy on from the be-glad-he's-on-your-side dept.

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

8 of 132 comments (clear)

  1. Makes popcorn by Anonymous Coward · · Score: 5, Funny

    And sits down to watch the fanboy battle begin. Go go go

    1. Re:Makes popcorn by TheRaven64 · · Score: 4, Funny

      Isn't this very similar to a problem my iPhone had just a few months ago?

      Nope, it's entirely different. This is a security hole, while the iPhone had a jailbreak opportunity.

      --
      I am TheRaven on Soylent News
  2. Time to move to a repository system? by mlts · · Score: 4, Interesting

    As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.

    This has worked for OSS projects for over a decade. It should work quite well for Android.

  3. What of old versions by giorgist · · Score: 5, Insightful

    See now that Android is becoming a big target = installed base
    Old phones are rarely updated.
    New phones and evices are still coming out with 1.6
    Old 1.6 phones are still alive

    All vulnerabilities will persist.

    So an auto logging in banking app is there for the taking

    1. Re:What of old versions by Rich0 · · Score: 4, Insightful

      Well, it remains to be seen if they backport fixes to 1.6, but I agree completely that this is a potential weakness of the platform. Vendors are WAY too quick to abandon old phones. If it isn't still in stores, they don't care about it.

      In fact, probably the best way for us poor G1 owners to get some official updates for our phones is to start releasing viruses designed to take down the cell network. THAT would get some updates out quick! :) (Disclaimer - I'm not advocating that anybody actually do this of course!)

  4. Re:Telco backdoors by gmhowell · · Score: 5, Funny

    If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

    I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

    No kidding? Well, my best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  5. Re:General purose computing device by khchung · · Score: 4, Insightful

    Until smart phone manufacturers realize that they are making general purpose computing devices we will see this.

    I say just the opposite. Until the Android crowd realize that a lot of people do not want a general purpose computing devices on their phone, they will be talking past all iPhone users.

    I work with computers for a living, I know very well the high cost of ownership for owning a general purpose computing devices. I do not want that for my phone. I deliberately stayed away from "smartphones" until Apple got smart enough and produce one that obviously is not intended to be a PC on a phone.

    All your reasons for calling Android "superior" is exactly the reasons that I found it inferior. I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low. This seems to a point that the Android crowds never understand.

    Maybe you find it intellectually simulating to find which security hole is patched in which Android version, and fun to track down exactly which Android version can be hacked to be installed on your phone (since your phone supplier probably won't give you a fix until a year later).

    For me, I just want iTunes to periodically check if my phone has the latest patch and tell me about any updates, so I can install it by clicking "Yes".

    --
    Oliver.
  6. Re:General purose computing device by bigstrat2003 · · Score: 4, Insightful

    Your logic fails. First, the main aspect of the iPhone that you could claim is an advantage over Android, the harsh policing of the app store, is irrelevant for security. Google can, and has, taken down apps that were insecure. The Android Market can be just as monitored as the iOS app store is. The real advantage is not anything to do with the market, it is the fact that you can install apps that are not from there. I'm sure you'll say "but I don't need that", but that's not true. You don't need it yet. I'm sure you'll feel differently if you ever have the bad luck to start to heavily use an app that Steve Jobs decides offends him in some way, and subsequently gets removed from the app store.

    Second, if your reason for having an iPhone includes "I can just wait for iTunes to tell me when there's a new version", that's ridiculous. You can be ignorant of security flaws on Android, as well. Trust me, there's no one that makes you go read up on them on /. (although apparently you would do so anyway, since you read this article). You can just wait for the phone to tell you that there's a new update for the OS available, and install it. Just like the iPhone! Of course, just like the iPhone, if there's a security bug you won't know about it and can be exploited, but if that's really what you want you can get it.

    --
    "16MB (fuck off, MiB fascists)" - The Mighty Buzzard