Android Glitch Leaves Users Open to Security Attack
A flaw in the Android operating system has left the widely-used smartphone software open to remote attack -- a security glitch that could spell danger given the large number of Android-powered devices.
Security researcher Jon Oberheide found that on devices running Android 2.0 or higher, he was able to access the Android service token, reported security firm Kaspersky Lab. The token is used to request permission from the Android Market to install third-party applications on a device. With access to the token, an app can be installed without a password , username or even permission from the Android market.
To prove his point, Oberheide developed an application disguised as the popular Angry Birds smartphone game. But once a user installs the app, the Android token goes to work installing three separate third-party apps on the user's device. The rogue apps are able to steal contacts , track the device's location and send text messages.
"The token has legitimate users, but you can abuse those same permissions and do things they didn't intend," said Oberheide.
Oberheide will present his findings at an Intel security conference this week.
Update: Google has removed Oberheide's app from the Android marketplace and issued a fix for the flaw.