Remember the duo who released an Angry Birds spoof application last fall in effort to highlight some of Android’s vulnerabilities? If so, perhaps you also recall hearing that Google had to implement the remote kill feature in Android about the same time. Well, those guys are back and, judging by their latest finding, things still don’t look to be all that secure.
A quick primer: Jon Oberheide and Zach Lanier put an app in the Android Market back in November 2010 that was a proof-of-concept that malicious developers could install additional applications without a user’s knowledge. Google was quick to recognize the situation and pulled the “malicious” app, subsequently issuing a fix for the vulnerability.
Fast forward to present day where the security-minded pair have identified two new vulnerabilities in Android. Although both have been shown to Google, neither of the holes have been patched at the time of this writing.
The first bug is considered a “permission escalation vulnerability,” which is said to affect all Android handsets, regardless of OS version. In a nutshell, the bug allows attackers to install additional “arbitrary applications with arbitrary permissions,” without ever asking the user to permit such installations. In other words, once implemented, attackers can install anything else they want no matter what, accessing data such as call records, texts, Web browsing history, and media.
The second bug affects a very specific model, the Samsung Nexus S, and lets the attacker gain root access and then gain full control over the handset. While this might sound appealing to the modding community, it’s a scary situation for someone who’s never owned a smartphone.
Oberheide and Lanier are set to teach a two-day mobile security training course at SOURCE Barcelona this November where they will presumably refer to this and other Android vulnerabilities. Let’s hope, for the sake of Android’s reputation, that these things are resolved much sooner.