Later today, Jon Oberheide and Zach Lanier, two security researchers will take to the stage at the Intel Security Conference in Hillboro, Oregon to discuss a new flaw in the Android operating system that allows applications to silently download additional apps which have full privileges on a users handset without requiring user permission.
An application demonstrating the previously undisclosed flaw is a another new Angry Birds app, promising new levels. As you may have guessed, this “new” app isn’t an official Rovio app, its a proof of concept created by Oberheide and Lanier that will install a number of different programs that could be capable of silently tracking a handsets location, stealing contacts or sending premium rate text messages.
Malware apps on the Android operating system have cropped up in the past but would fall foul of the in-built security checks in the OS. Typically, when an Android app is installed, Android will flash up a list of permissions that the application requires (access to SMS, Contacts etc), allowing the user to be in complete control of the installation process. If the application required access to senstive information, the user could cancel the installation process and their handset would remain uncompromised.
The worrying aspect of Oberheide and Lanier’s new flaw is that it bypasses this in-built security check, allowing malicious apps to download other programs in the background without any notification to the user. Luckily, the duo’s Angry Birds app isn’t malicious, instead it downloads three additional programs which do have access to the phones sensitive features but just display a warning message disclosing the flaw.
Forbes writer Andy Greenberg, contacted Google which noted it was previously unaware of the flaw but is currently investigating the bug. Greenberg also notes that Oberheide has presented a proof-of-concept app highlighting flaws in the Android OS in the past where Google decided to invoke the use of its application “kill switch” which would remotely wipe the application from all of the handsets that had downloaded it.
With Gingerbread incoming, Google may rush to patch the flaw instead of invoking its “kill switch”. We will be keeping an eye on this matter as it develops, stay tuned.