You decide you’re ready to try out that new fangled game that everyone is talking about. Mad Chickens, or something. You search, click, read some comments, click install. Before anything is installed to the phone you are greeted with a list of things this particular application has access to on your device and are asked to confirm that everything is OK and proceed to download and installation. Up until now that was all fine and dandy and you could rest easy in the knowledge that applications only had access to what you deemed appropriate.
All of that is out the window. A (massive?) security flaw has been discovered that allows a malicious application to access parts of a user’s device that it was never intended to have; and more frighteningly never declared they had the right to access. Malicious applications are nothing new to Android, but until now the user had to ignore what the application was requesting access to in order for the program to be installed.
“In the past, we’ve focused on the issue of users not paying attention to what permissions they’re approving for their apps,” says Oberheide. “But in cases like this, the attacker can bypass those permissions and it’s very difficult for users to protect themselves at all.”
The application in question is one that poses itself as a set of bonus levels for the not often talked about Angry Birds. When, in fact, it has nothing to do with the game. Once it is installed, the application is capable of installing other applications to the device that are malicious in nature. Note that I said “capable of”, not “it does”. Things like paid text messages and other bone tingling services that have the opportunity to hit the soft underbelly of you monthly bill if this exploit were to fall into the wrong hands.
Thankfully, there is light at the end of this tunnel. Those that have discovered the vulnerability and created the spoof application are the good guys. The ones that want it patched, and are ready to demonstrate what the flaw is; hopefully not to the public. In a talk tomorrow at a security conference, hosted by Intel in Hillsboro, Oregon, the men who discovered the flaw will discuss their finds.
Just remember to read the comments and only install applications from trusted sources. A little common sense can go a long way; and if something doesn’t feel right, just back away.