Nov 30th, 2011

It wasn’t bad enough to have apps like CarrierIQ pre-installed on our devices which record our every swipe and now this. Researchers at North Carolina State University have apparently uncovered some vulnerabilities in the apps that come pre-installed on Android devices that could potentially allow for malicious applications to wreak all kinds of havoc on our phones. Things like sending SMS messages to sign you up for 3rd party SMS services, record late night conversations with your bff — even factory reset a device and all without any input needed from the user. Fun.

Using a software tool the researchers developed called “Woodpecker,” the team was able to analyze each application that came preloaded on the devices tested, pecking away for “capability leaks.” The devices in question were the HTC Legend, Evo 4G, Wildfire S; Motorola Droid, Droid X; Samsung Epic 4G; Google (HTC) Nexus One and (Samsung) Nexus S. This information was actually revealed to their respective manufacturers and out of HTC, Samsung, Motorola and Google (who isn’t technically an OEM) — only Google and Motorola were willing to confirm the issues.

There vulnerabilities fell into 2 categories: explicit (severe) and implicit (not so bad) and even though the Nexus One and S — which run stock “vanilla” Android — had only the minor security issue, researches still said they were “surprised” at how stock Android “did not properly enforce the permission-based security model.” So which device was found to be the worst offender? The HTC Evo 4G take the first place with eight explicit leaks discovered.

While it’s possible for 3rd party apps downloaded from the Android Market to have their vulnerabilities exploited by would-be hackers, it’s the ones that come pre-installed that are the biggest target, seeing how they’re already installed right out of the box. Now we just have to wait for some official word from Google to see how they will address this issue. For now… sleep tight, folks.

[Via ArsTechnica]