A Dozen Vulnerable Android Apps Uncovered

More than a dozen common Android apps leave mobile phones vulnerable to attack, a mobile security researcher has claimed.

Riley Hassell, founder of Privateer Labs, has alerted Google but refused to publicly identify the apps for fear they would be targeted by criminals, reports Reuters.

“App developers frequently fail to follow security guidelines and write applications properly,” he said.

“Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message.”

A Google spokesman told Reuters that Android security experts were not convinced Privateer Labs had uncovered problems with Android.

App hijacking and phishing

Hassell and a colleague Shane Macauley were due to demonstrate at least two theoretical Android attacks during a presentation called “Hacking Android for Profit” at the Black Hat hacking conference in Las Vegas before pulling out at the last minute.

While developing a child-blocking app, Hassell discovered an Android feature that allows apps to respond to other apps being launched. This could be used to insert password protection by a concerned parent or a spoof log-in page by an attacker.

Hassell called this attack, which sees a malicious app mimicking a trusted app to steal users’ credentials and send them to a remote server, “AppPhishing”.

Another attack exploited an Android function called ‘activity reuse’ that allows apps to execute functions belonging to other apps. If an app that makes phone calls is hijacked by a malicious app it could be used to dial premium rate numbers or potentially listen into phone calls.

Hassell and Macauley reportedly had a proof of concept prepared  for both attacks targeting Skype but pulled out of the conference upon learning that part of their work may have replicated previously published research.

An open and inviting target

The attacks require a malicious app to be downloaded in the first place and a previous white paper by Privateer Labs found that the correct permission restrictions are not routinely written in by Android app developers.

In March, more than 50 apps infected with the personal data stealing DroidDream malware were removed from the Android Market and a couple of months later 26 more were discovered with a variant called DroidDream Light. It was speculated that DroidDream Light could have infected up to 120,000 users.

As Android’s market share sails past Apple OS it will become an ever more inviting target for malware producers.

No single Android device comes close to challenging Apples’s iPhone as the market leader. However, the sheer volume of different devices running Android means analysts have reported steadily climbing market share for the Goole OS. Last week, Gartner pegged Android’s market share at 43.4 percent versus iOS’s 18.1 percent.

Meanwhile, analysts IDC also predicted last week that the enterprise mobile security and management market would balloon 30 percent to $763million (£470m) by 2015 thanks to the consumerisation of IT, the acceleration of mobile enterprise applications, and cloud computing.

David Jamieson

View Comments

  • These reports are becoming more prolific, it's like watching a train wreck in slow motion. I'm dismayed at Google's apparent indifference to this problem.

  • Google need to be more pro-active,informing & keeping in touch actively,not sitting on the fence

Recent Posts

OpenAI In Talks With California Over For-Profit Shift

OpenAI reportedly begins early talks with California attorney general over complex transition from nonprofit to…

13 hours ago

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

14 hours ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

14 hours ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

15 hours ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

15 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

16 hours ago