The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn’t the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users’ phones as well.

Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users’ phones.

“I don’t know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it’s easy to have the install mechanism too,” Oberheide said in an interview. “I don’t know if they’ve used it yet.”

Oberheide created a program called RootStrap, which he described as a proof-of-concept application to show how an attacker could bootstrap a rootkit on a mobile device. He then posted a benign version of the app on the Android Market under the name “Twilight Eclipse Preview” as a way to get users to download it. About 200 people installed the application, which periodically contacts a remote server to pull down native ARM code. In a real-world attack, that code would be malicious payloads, but in the benign version that Oberheide posted, it did nothing.

During his research, Oberheide had found out about the remote-wipe functionality in Android, called REMOVE_ASSET. After he spoke publicly about RootStrap, Google asked him to remove the app from the Market, which he did. A short time later, he saw a noitification on his Android phone telling him that the app had been removed from the device. This was the first time that Google had used the functionality, Google said in a blog post this week.

“The remote application removal feature is one of many security controls
Android possesses to help protect users from malicious applications. In
case of an emergency, a dangerous application could be removed from
active circulation in a rapid and scalable manner to prevent further
exposure to users. While we hope to not have to use it, we know that we
have the capability to take swift action on behalf of users’ safety when
needed,” Google’s Rich Cannings, the Android security lead, wrote.

Oberheide said that during his discussion with Cannings he got the sense that Google was working hard on the security aspects of Android and the Market itself.

“They’re doing a good job, but there’s certainly stuff that they could tighten up on,” he said. “There are some security concerns that come along with the open marketplace, but I think that’s just part of their model, and they’re committed to this open model.”

Many, if not most, Android owners likely had no idea that the REMOVE_ASSET function existed, and Google’s use of it generated quite a bit of publicity and concerns about privacy and security for Android owners. However, Oberheide, the co-founder of startup Scio Security and a PhD candidate at the University of Michigan, said that wasn’t nearly as interesting as the other half of the equation.

“Now, the Android platform not only allows for the removal of
applications remotely via the REMOVE_ASSET intent, but also allows for
the installation of new applications via the INSTALL_ASSET intent. If
some people are upset that Google retains the ability to kill
applications remotely (I personally prefer the potential security gains
of the functionality), I fear what they’d think of the INSTALL_ASSET
feature,” he wrote in a blog post explaining his research and the removal and install features.

The INSTALL_ASSET feature raises a number of privacy and security questions, particularly the question of what rights the software maker has to modify the code on users’ devices. Code changes, in the form of patches and feature updates, are obviously commonplace and most users give little thought to the changes. But few customers likely have contemplated the possibility of Google, Apple, Microsoft or another vendor forcing the installation of a new application on their phones.

“While remotely removing apps might ruffle the feathers of people who
like the feeling of having full control over their device, the remote
install functionality is of more concern from a security perspective. As I mention on slide #14, if an attacker is able to MITM this SSL
GTalkService connection for a particular device, it may be possible to
spoof these INSTALL_ASSET messages to deliver a malicious application
payload. If Google’s GTalkService servers were compromised, the
malicious impact would obviously be a bit more widespread,” Oberheide wrote.

Categories: Malware, Social Engineering

Comments (12)

  1. Anonymous
    1

    Google will you please use this to remove Peep from my Hero. Sprint won’t allow me to be a superuser on my own phone without voiding the warranty. 

  2. Maliha Mariyam
    2

    is this revoke/install ‘feature’ extended to the other manufactures?

  3. Irick
    3

    Okay, now seriously. NO ONE else would get away with this. If these remote install calls were found on iOS or WinMob people would be screaming about FBI, CIA, and so many other acronyms installing spy wear with the help of <X> or by pressuring <X> or _something_. But i bet you this just passes under the radar in a week or two. I don’t understand why making a platform “open” gives Google this big of a green light to make it effectively as closed at they want. How is this any better then reviewing the apps before hand? Google is still reviewing these apps, their criteria may be lapse but they still are. What happens if those views change? This infrastructure is extremely worrying if you don’t put _faith_ in google to remain a wholly neutral party. There has to be a large degree of _trust_ in google to not feel extremely on edge about this.

    I do not suspect them of abusing this at all, but this just shows how much Google assumes in how much we are willing to give over to them. It may be for the best, but ask yourself if you would give any other company the power to fully control your phone, down to installing apps remotely OTA without your approval.

    Now, they probably designed this thinking they could push antivirus software or something if something bad hit, but still, this is infrastructure that can be exploited, spoofed, and presents a very real threat to the consumer. IMO Google may have overstepped its bounds, though i can not claim i know every detail about the security issues this may bring into play.

    I don’t think Google is trying to control my phone, but i do think their controle infrastructure can be exploited by those who do.

  4. Anonymous
    4

    meh.  what did you expect.  Ooh someone posted something irrelevant on facebook.  forget about the possibility of Big Brother Google.  Kitty > BBG.

  5. Anonymous
    6

    so what?  so google can install software on your phone running ‘their’ os (read your eula) same on all versions of Windows and I suspect on Mac OS too.  True if it were that their servers got hacked then there might be an issue but in reality, nothing to worry about and if you do worry about such things, cut yourself off from the internet and any other communication device. ;)

  6. mdh
    7

    Anonymous, not worry huh? What about the Chinese government’s Green Dam software that monitors and limits citizens access to the Internet? I know I’m definitely not comfortable with anyone, government or a corporation, having access to change or modify any device of mine, especially without my consent, whether it’s my laptop or my mobile phone. Functionality such as this must be declared up front with the owner given the choice to utilize it or not, and the ablilty to disable it completely. Furthermore, this raises serious privacy issues, just ask the netizens sitting in jail in China and Viet Nam about that. Talk about big brother… wow.

  7. Anonymous
    8

    Seriously, all these capabilities were publicized at Google I/O. Remote application deployment is a fantastic new feature.

    This only applies to apps deployed using the Market, AFAIK. So sideloaded apps remain unaffected.

     

  8. Anonymous
    9

    Malwarebytes is flagging something on your site from IP 73.244.198.194 as being malicious.  Maybe one of the ads?

  9. Anonymous
    10

    Wow, way to not understand what you’re talking about. 

    iOS does have these ‘features’.

  10. Chris Vail
    12

    John Oberheide said:

    “Google can push a REMOVE_ASSET message [via GTalkService connection] down to all the Android phones in
    order to remote kill a particular application deemed malicious.”

    So, it seems if Google knows the name of your application, this will work, even if you have side loaded your app.  The Market uses GTalkService, but GTalkService is separate from the market, and the actual removal is done by Android.  And “down to all the Android phones” sounds like they don’t need to check if you have installed the app to be removed or not.

Comments are closed.