Security duo finds another pair of vulnerabilities in Android

This isn't the first time these two have found bugs in Android that could lead to a potential nightmare scenario.

Remember the duo who released an Angry Birds spoof application last fall in effort to highlight some of Android's vulnerabilities? If so, perhaps you also recall hearing that Google had to implement the remote kill feature in Android about the same time. Well, those guys are back and, judging by their latest finding, things still don't look to be all that secure.

A quick primer: Jon Oberheide and Zach Lanier put an app in the Android Market back in November 2010 that was a proof-of-concept that malicious developers could install additional applications without a user's knowledge. Google was quick to recognize the situation and pulled the "malicious" app , subsequently issuing a fix for the vulnerability.

Fast forward to present day where the security-minded pair have identified two new vulnerabilities in Android . Although both have been shown to Google, neither of the holes have been patched at the time of this writing.

The first bug is considered a "permission escalation vulnerability," which is said to affect all Android handsets, regardless of OS version. In a nutshell, the bug allows attackers to install additional "arbitrary applications with arbitrary permissions," without ever asking the user to permit such installations. In other words, once implemented, attackers can install anything else they want no matter what, accessing data such as call records, texts, Web browsing history, and media.

The second bug affects a very specific model, the Samsung Nexus S, and lets the attacker gain root access and then gain full control over the handset. While this might sound appealing to the modding community, it's a scary situation for someone who's never owned a smartphone.

Oberheide and Lanier are set to teach a two-day mobile security training course at SOURCE Barcelona this November where they will presumably refer to this and other Android vulnerabilities. Let's hope, for the sake of Android's reputation, that these things are resolved much sooner.


About the author

Scott Webster has spent the better part of his adult life playing with cell phones and gadgets. When not looking for the latest Android news and rumors, he relaxes with his wife and son. Scott also is the senior editor for AndroidGuys. E-mail Scott.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Uber's tumultuous ups and downs in 2014 (photos)
The best and worst quotes of 2014 (pictures)
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)
Google Lunar XPrize: Testing Astrobotic's rover on the rocks (pictures)