Malicious Android App Exploits “Old Vulnerability”

Researchers have created an app which could enable a hacker to install and run corrupt code on an Android device.

Security firm ViaForensics says that the application bypasses the mobile operating system’s security permissions to give its creators access to an infected device.

Old Vulnerability

The proof of concept app, called “No-permission Android App Remote Shell” exploits a vulnerability which isn’t new but has been “quietly pointed out for a number of years.”

The application exploits Android’s permissions system which is designed to give users control over what capabilities an app can perform. Researchers tested the app, which is not available in the Android Market, on all versions of Android from 1.5 to 4.0 Ice Cream Sandwich and successfully exploited the loophole in all cases.

“We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel,” said ViaForensic’s director of researchand development, Thomas Cannon.

“In this demonstration, Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user,” he added.

Security Concerns

The news is a blow for Google’s mobile operating system, which has proved popular with consumers. However, despite having over 200,000 apps on the Android Market, it has proved less popular with developers, who prefer to develop for Apple’s App Store, which currently boasts over 425,000 apps and has passed the 15 billion download milestone.

This is due to the fragmented nature of the Android eco-system, the fact that iOS apps generate more revenue and security concerns, which have plagued the platform.

Earlier this month, Google was forced to remove 22 malicious apps from the Android Market. These apps posed as free versions of popular games which sent SMS messages to premium rate phone numbers when launched.

In March it removed 50 malicious apps from the Android market, making use of the remote kill feature which removed the apps from infected devices, while in June, it removed 10 spyware applications.

Security researchers have warned that such instances are likely to become more common as malware developers increasingly target the mobile operating system.