Researcher finds serious Android Market bug

Google applies technical fix to bug, but Jon Oberheide says Android Market should be alerting phone owners when an app is being remotely downloaded via the Web site.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Researcher finds simple bug in Android Market that could have allowed someone to distribute malicious apps on Android phones.
Researcher finds simple bug in Android Market that could have allowed someone to distribute malicious apps on Android phones. Jon Oberheide

Google has fixed a bug in the Android Market that could have allowed attackers to distribute malicious apps to gain control of devices.

"Since the Android Web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim's phone simply by tricking them into clicking a malicious link (either on their desktop or phone)," Jon Oberheide, co-founder and chief technology officer at Duo Security (formerly Scio Security), wrote in a blog post today. "The exploit works universally across all Android devices, versions, and architectures."

Oberheide described the XSS vulnerability as "low-hanging fruit" and said he was surprised no one had discovered it before. Such bugs are very common in Web sites.

The Android Market allows people to remotely install new apps on to their Android smartphones while browsing the site on their desktop computers.

"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector. Any XSS vulnerabilities in the Web market allow an attacker to force your browser into making a 'Post' request that triggers an app installation to your phone," Oberheide wrote. "Since there is no on-device prompt or confirmation for these 'Install_Asset' requests pushed to your phone, an attacker can silently trigger a malicious app install simply by tricking a victim into clicking a link while logged in to their Google account on their desktop or on their phone. The malicious app delivered to the victim's phone can use any and all Android permissions, allowing for all sorts of evil behavior."

Google should include a feature that prompts the owner of the phone to confirm via the device the download of any app rather than just allowing them to be remotely installed, Oberheide said in a phone interview with CNET. The Android Market is "not inherently insecure but there is a danger when you start pairing up your desktop computer to your Google account and your mobile device," he said.

Oberheide said he informed Google about the bug in mid-February and that it fixed it a week or so ago.

He bemoaned the fact that after he had reported the bug to Google and been paid $1,337 as reward, he learned that he could have made $15,000 if he had entered it and won in the Zero-Day Initiative's Pwn2Own contest at the CanSecWest security conference this week.

Asked to comment on the matter, a Google representative said: "We enjoy rewarding high-quality Web application security research via our vulnerability reward program. More information can be found here."

The news of the XSS bug comes on the heels of Google announcing last weekend that it had pulled about 58 malicious apps from the Android Market and would remotely wipe them from the approximately 260,000 Android devices that had downloaded them.

Researchers at mobile security provider Lookout also released more details on the malware, dubbed DroidDream, because a string of code that used that term in the software. The malware was configured only to run between 11 p.m. and 8 a.m., when a device owner would likely be asleep or have the phone off, Lookout said in a blog post.

The post describes the malware as a "zombie agent" that gains root permissions and then waits and silently installs a second app that sends information about the device to an outside server.

"When the malware gets on your phone it basically issues a blank check for additional apps to be downloaded," Lookout Chief Technology Officer Kevin Mahaffey said in an interview today. "The sky is the limit in terms of what it could have done because the malware had (complete system administrator) root access."

The free version of Lookout can be used to scan the device to see if it has been infected with the malware. Lookout advises people not to do a factory reset on the device as that may not rid it entirely of the malware. Google's remote "kill switch" will take care of that.