Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Holes Allow Secret Installation of Apps

Posted by timothy on from the be-glad-he's-on-your-side dept.

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

3 of 132 comments (clear)

  1. Makes popcorn by Anonymous Coward · · Score: 5, Funny

    And sits down to watch the fanboy battle begin. Go go go

  2. What of old versions by giorgist · · Score: 5, Insightful

    See now that Android is becoming a big target = installed base
    Old phones are rarely updated.
    New phones and evices are still coming out with 1.6
    Old 1.6 phones are still alive

    All vulnerabilities will persist.

    So an auto logging in banking app is there for the taking

  3. Re:Telco backdoors by gmhowell · · Score: 5, Funny

    If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

    I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

    No kidding? Well, my best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon