Google pulls app that revealed Android flaw, issues fix

Researchers release proof-of-concept Android app that demonstrates ability to download other apps without the user's knowledge. Google then fixes the bug.

Elinor Mills
Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

2 min read

This screen shot shows a list of the fake Android apps that were sneaked onto the phone by a proof-of-concept app created to show a flaw in the mobile platform.
This screen shot shows a list of the fake Android apps that were sneaked onto the phone by a proof-of-concept app created to show a flaw in the mobile platform. Jon Oberheide

Google pulled an app from the Android marketplace that was created to illustrate a flaw in the mobile framework that allowed apps to be installed without a user's knowledge. It then issued a fix for bug.

Jon Oberheide, chief technology officer of Scio Security, created a proof-of-concept app disguised as an expansion for the popular Angry Birds game. After the app was downloaded, three additional apps were installed without the user's knowledge that had permission to perform malicious activities but were benign, he told CNET in an interview.

Oberheide and Zach Lanier, a senior consultant at Intrepidus Group, were scheduled to present their research on the Android vulnerability at Intel's annual internal security conference in Hillsboro, Ore., today.

Before they got a chance to give their presentation, Google pulled the app, according to Oberheide. The company also began rolling out a fix for the issue, which applies to all Android devices, a Google spokesperson said in an e-mail late yesterday.

To accomplish the proof-of-concept exploit, the fake app was written to abuse the credentials service that Android has for allowing apps to request authorization tokens, according to Oberheide. For it to work, a user had to first grant credentials to the suspicious app, according to an industry source. Meanwhile, the additional app installations would have appeared in the phone notifications, ostensibly alerting a user to the installation.

Oberheide had two other "research" apps wiped remotely from the Android marketplace in June. Those were designed to test the feasibility of distributing an app that could later be used to take control of a smartphone in an attack.

Another researcher, who goes just by the name Nils and who is head of research at MWR InfoSecurity, presented research at BlackHat Abu Dhabi yesterday that also showed a vulnerability in the Web browser on Android-based HTC Legend. That flaw could lead to the installation of arbitrary apps with a wide range of permissions without seeking explicit user permission. In his demonstration, Nils showed how an HTC Legend user who visited a malicious Web page on the mobile browser could be targeted in an attack.

The issue in this case is specific to a setting introduced by HTC, the Google spokesperson said.

"Because mobile firmware updates are often slower than comparable PC software updates, taking weeks or months to release, there's a significant period of time between when mobile vulnerabilities such as these are first publicly disclosed and when people are protected," said Kevin Mahaffey, chief technology officer at mobile security firm Lookout.

Smartphone users should be careful to only visit trustworthy Web sites and only download apps from reputable developers, especially when the apps mention known brands but come from an unknown developer. Lookout is releasing a Privacy Advisor feature to its service next week that will allow people to easily see what apps are on the phone and what capabilities and access they have.