This lovely little app installs additional apps, tracks your phone, steals contact details, and more! Hooray! Security researchers Jon Oberheide and Zach Lanier plan to today have a talk at an Intel security conference in Hillsboro, Oregon about a bug they’ve found in Google’s Android OS that allows legitimately downloaded apps do some evil things to your phone. According to these two researchers, this buy allows these legit apps download more apps to your phone secretly and invisibly, apps that can have “free reign” over your phone without your permission. Woopsie! That’s not good.
The Fake Angry Birds update app is one that these researchers have created to display the break in the system: this app actually installs a suite of programs that can track your phones location, steal your contact, and sent expensive text messages, just like that *snap*!
Forbes reports Oberheide saying the following: “In the past, we’ve focused on the issue of users not paying attention to what permissions they’re approving for their apps,” says Oberheide. “But in cases like this, the attacker can bypass those permissions and it’s very difficult for users to protect themselves at all.” On the other hand, the Angry Birds app they’ve created doesn’t actually do any harm to your phone. It’s just there for illustration purposes. This case has and will gain quite a bit of notice simply due to the complete fluke that their false app was released yesterday at around the same time the REAL Angry Birds update was really ramping up. I think they’ve got precognition powers.
Then, across the world at a Black Hat hacker conference in Abu Dhabi, another researcher by the name of “Nils” has revealed (just yesterday) a different bug in the browser implementation of many HTC Android-using phones that allows websites to, again, invisibly download apps that can gain access to your phones workings. No permission needed, very scary.
NOTE: The last time something like this happened, it was again Oberheide’s app that displayed a security risk on Android phones. That time it was with a “Twilight” themed app that, if used maliciously, could bait-and-switch users into downloading apps that would, again, access the info on their phone, send texts, everything. That time, Google used their KILL SWITCH and basically pretended it never happened.
BONUS: Remember back in January when we had a tiny little chat about that particular switch? It’s killer.[Via Cnet]