Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android holes allow secret installation of apps

CheerfulMacFanboy (1900788) writes | more than 3 years ago

Security 0

CheerfulMacFanboy (1900788) writes "According to The H Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.

One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole.

Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app intothe Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud", "Fake Contact Stealer" and "Fake Location Tracker") without requesting the user's permission."

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?