GET THE APP:  CURRENTLY HOT:   Android Fire TV Fire TV Forums HTC One M8 Moto 360

More Android Security Issues Exposed – This Time From Apps Already Installed On Your Device

It wasn’t bad enough to have apps like CarrierIQ pre-installed on our devices which record our every swipe and now this. Researchers at North Carolina State University have apparently uncovered some vulnerabilities in the apps that come pre-installed on Android devices that could potentially allow for malicious applications to wreak all kinds of havoc on our phones. Things like sending SMS messages to sign you up for 3rd party SMS services, record late night conversations with your bff — even factory reset a device and all without any input needed from the user. Fun.

Using a software tool the researchers developed called “Woodpecker,” the team was able to analyze each application that came preloaded on the devices tested, pecking away for “capability leaks.” The devices in question were the HTC Legend, Evo 4G, Wildfire S; Motorola Droid, Droid X; Samsung EPIC 4G; Google (HTC) Nexus One and (Samsung) Nexus S. This information was actually revealed to their respective manufacturers and out of HTC, Samsung, Motorola and Google (who isn’t technically an OEM) — only Google and Motorola were willing to confirm the issues.

There vulnerabilities fell into 2 categories: explicit (severe) and implicit (not so bad) and even though the Nexus One and S — which run stock “vanilla” Android — had only the minor security issue, researches still said they were “surprised” at how stock Android “did not properly enforce the permission-based security model.” So which device was found to be the worst offender? The HTC EVO 4G take the first place with eight explicit leaks discovered.

While it’s possible for 3rd party apps downloaded from the Android Market to have their vulnerabilities exploited by would-be hackers, it’s the ones that come pre-installed that are the biggest target, seeing how they’re already installed right out of the box. Now we just have to wait for some official word from Google to see how they will address this issue. For now… sleep tight, folks.

[Via ArsTechnica]




  • Eyad (formerly CTownOL)

    Bloatware… beware!

  • ScottColbert

    While this seems concerning, it would be helpful to know a number of things; what apps do this, are they from google, or the device maker? There’s the making of a worthwhile story here, but there’s too much left unknown to do anything but fan the flames of paranoia. 

    • thedicemaster

      considering the nexus had only 1 minor leak and the evo 8 big leaks it’s pretty obvious the major problems are all in software added by the manufacturer.
      only 1 google app has a (small) security problem.

    • wakkoman

      You Android fanboys are so clueless of how FUCKED you are getting by Google. LOL Hilarious. 

      And your mom’s boobs still taste like apples. Mmmmmm.

  • s15274n

    It was North Carolina State University. UNC is the school for hippies, preps and lawyers.

    • Itchy_Robot

      Don’t forget about teachers … everyone hates a good teacher … wait a minute =/

    • CalypsoArt

      “hippies, preps and lawyers”. This a is America, who else is there?

      • myepicemailadress

        Software designers, computer programmers, software coders, am I wrong? Every college has to have a good software & technology corse.. The one’s who’re knowledgeable enough to preform malicious information exploits, and the fact that carrier’s can do it too at their own execution, none the less is bothersome and an issue, how much information and data on our phones is truly safe at all? Who already without our knowledge already have access to it? 

        CarrierIQ has been known for months… it’s just now getting some questioning and wonder.. I find it bothering that it’s taken more than a year to address the matter.. But it is not our friend, we cannot opt out of it, nor deny it access, how is that not shady? and the service has potential to be malicious, with carrier knowledge, and unbeknownst to you the phone buyer, and if you did know about it and wanted to do something about it, you have to root your device which breaks warranty and get a custom rom and kernel then flash them to your device, and you’ll want a recovery, so you’ll need clockworkmod as well.. I think Cyanogen Mod has it removed in some devices with CIQ.. to be rid of it.. That’s whack. :/

  • randy cowles

    I’m sure the threat is real but the thing is, I’ve never actually met anyone who has had there android phone hacked. I’ve had several different android phones starting with the g1 and just about everyone I know has one, right down to my mother in law. Never even heard a friend of a friend kind of thing.

    • Aeires

      I was thinking the same thing, how many people out of the millions of users actually have this happen?

  • ADWheeler

    Maybe researchers at North Carolina University can come up with a spelling and grammar checker for this website.  Seriously guys, email me…I am for hire.

    • http://twitter.com/TwiTati Tati

      Come on, grammar here is not “sever”!

    • http://twitter.com/gamercore Chris Chavez

      Why hire when you and @twitter-24753073:disqus are nice enough to do it for free? =p

  • JohnFeinberg

    And what apps are they really examining? A lot of apps are malicious on the market. HTC had a security issue, but that was fixed. 

  • Magus2300

    Further reason to eliminate all unnecessary UI overlay bull$#!+ and preloaded bloatware.

  • oomatter

    The actual paper is beyond me, but since they only found one minor issue with the Nexus devices they tested it’s just another reason to for me to wait for the Galaxy Nexus.

  • Itchy_Robot

    I am so happy Verizon finally got the Nexus.

  • Xcelr8ion

    Another reason to root and use titanium backup and freeze the crap or uninstall it completely!

  • http://pulse.yahoo.com/_4K5RNREUPNDDPD7PJEQAJ3W3NI Robert

    Further proof that we don’t need bloatware!!!

    • wakkoman

      Actually its furthre proof that Google doesn’t know how to create secure platforms. But keep blaming the carriers!

  • Alamudi Ab

    this just agenda