Pre-Loaded Android Apps Leave Phones Open to Attack
|Image composite by SecurityNewsDaily|
Android phones, or at least some of them, contain a serious glitch that an attacker could exploit to steal data, eavesdrop on your calls or even wipe your phone clean.
A team of computer science researchers from North Carolina State University discovered the flaw on eight smartphones from HTC, Motorola, Samsung and Google. In their paper, "Systematic Detection of Capability Leaks in Stock Android Smartphones," the researchers explain that the issue stems from coding bugs, called "capability leaks," within Android's permission-based security system.
An attacker that exploits a capability leak on a targeted phone could also obtain a phone's geo-location data and send premium-rate text messages, all without the victim's knowledge.
"Several privileged (or dangerous) permissions that protect access to sensitive user data or phone features are unsafely exposed to other apps which do not need to request these permissions for the actual use," the researchers wrote.
As it stands, Google requires each Android app to explicitly request permission from customers as to what it can access on a user's phone. In this way, each person has control over their apps, and each app can perform its functions only if granted permission to do so.
But on the eight phones the researchers examined, the permissions-protection system went out the window.
The university researchers explained in their paper, as well as in a YouTube video, that the code that allows these apps to sidestep Android's permission system lies in the interfaces and services phone manufacturers add on to their devices to supplement Google's firmware.
"Particularly, smartphones with more pre-loaded apps tend to be more likely to have explicated capability leaks ," the researchers explained.
The team used a diagnostic tool, called Woodpecker, to prod the phones for such leaks, and admitted the results of the tests were "worrisome."
The phones tested were the Legend, EVO 4G and Wildfire S, all from HTC; the Droid and Droid X, from Motorola; the Samsung Epic 4G; and Google's Nexus One and Nexus S. Of the eight, the Legend, EVO 4G, Wildfire S, Droid X and Epic 4G all did poorly, with at least four "leaks." (The EVO 4G had 10.)
"If you have one of these phones, your best bet to protect yourself moving forward is to make sure you accept security updates from your vendor," Xuxian Jiang said. "And avoid installing any apps that you don't trust completely ."
However, the NCSU team also found one "leak" each on the Google Nexus One and Nexus S phones, as well as the Motorola Droid. The Google phones are "reference" models that Google uses to show off the Android OS, and have minimal amounts of carrier add-ons. The researchers noted that the Droid's system image was very close to the reference image.
If even the "pure" Android builds on those three phones are vulnerable, it implies that far more phones than the eight tested have such problems.