Installing malicious applications snuck onto the Android Market might not be the only worry of users browsing the app store. A new security hole in the XSS coding of the web version of the Android Market has left handsets vulnerable to the installation of apps without the consent of the user. Using a script hacked into the application description field, attackers can remotely install apps to a user’s handset. Other tricks are then employed that use system events to launch the bad programs without the handset owner’s knowledge.
The security hole was discovered by Android security specialist Jon Oberheide and reported to Google. The company has already made the necessary changes to prevent would-be hackers from gaining access to devices logged into the web market. He had initially considered using the security exploit to go after a $15,000 prize as part of the Pwn2Own contest, but instead did everyone a favor by tipping Google to the problem. You can thank him for that later.
[via H-Online]