Malicious Android App Exploits “Old Vulnerability”
Security researchers develop app which bypasses Android security permissions
Researchers have created an app which could enable a hacker to install and run corrupt code on an Android device.
Security firm ViaForensics says that the application bypasses the mobile operating system’s security permissions to give its creators access to an infected device.
The application exploits Android’s permissions system which is designed to give users control over what capabilities an app can perform. Researchers tested the app, which is not available in the Android Market, on all versions of Android from 1.5 to 4.0 Ice Cream Sandwich and successfully exploited the loophole in all cases.
“We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel,” said ViaForensic’s director of researchand development, Thomas Cannon.
“In this demonstration, Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user,” he added.
The news is a blow for Google’s mobile operating system, which has proved popular with consumers. However, despite having over 200,000 apps on the Android Market, it has proved less popular with developers, who prefer to develop for Apple’s App Store, which currently boasts over 425,000 apps and has passed the 15 billion download milestone.
Earlier this month, Google was forced to remove 22 malicious apps from the Android Market. These apps posed as free versions of popular games which sent SMS messages to premium rate phone numbers when launched.
Security researchers have warned that such instances are likely to become more common as malware developers increasingly target the mobile operating system.