Send to Kindle

Denis Maslennikov

A new version of the Android Market has just been launched, making it possible for every device owner to look for applications, buy or even remotely install apps to an Android device directly from the browser on a desktop computer. Wait, remotely install? Have we misheard something?

No, it’s an official feature of the brand new market. If you use an Android device, it means that you have a GMail account associated with your device, and now you can remotely install any application from the Android store. You just need to:

  • log in to the market with your GMail account associated with your smartphone;

  • choose any application you would like to install;
  • click to the ‘Install’ link;
  • carefully read all the permissions required by the application;

  • click on the ‘Install’ link again.

If your smartphone is connected to the Internet, you will immediately notice that on the device’s screen an install is already taking place. Why is this problem? When installing apps via the market on your phone, you must agree to all the permissions being requested before the app will actually install on your phone. With this new incarnation of the Android Market, those permission are only displayed on the app page within the web interface of the Android Market. After agreeing to these permissions the app is installed without any notifications on your mobile device.

So what? Isn’t that convenient? Yes, for you and for anyone who may gain unauthorized access to your Gmail account. This would allow the attacker the ability to purchase and install any app available within the Android Market.

Apps within the Android Market feature a lot of options, many of which could be used maliciously by an unauthorized third party.

This is just one more reason to create strong passwords, and be ever vigilant about access to your accounts and devices.

We have reached out to Google to discuss this security risk.

We can’t seem to find a way to disable these remote installs from the browser. At the minimum, it’s important that Android users have the ability to turn off this feature.

*Denis Maslennikov is a Senior Security Researcher for the Global Research and Analysis Team at Kaspersky Lab.

This article originally appeared on Securelist.com

Send to Kindle
Categories: Vulnerabilities, Web Security

Comments (14)

  1. Anonymous
    2

    I need a little more explanation on the hypothetical attack here.  First, someone has to compromise a Gmail account.  As it is, that’s already about the worst info security incident that could possibly happen in many people’s personal affairs.  But ok, so they’ve done that, but now supposedly it’s *really* bad because they could start buying and installing official Android Market apps onto that person’s phone without them knowing (well, except that there’d be alerts in the notification bar, and the apps would be in the app drawer, and they’d be at the top of the “my apps” list in the Market app, but otherwise the victim would have no way of knowing!)  Then, after that, in some manner completely left to the imagination of the reader here, the attacker could take advantage of those apps on the victim’s phone in order to do more bad things.  I’m having trouble imagining what.

    Slow news day in the security business?

  2. Andrew Gross
    3

    It would be nice if you could use your phone as a form of 2-factor authentication for this (since everyone will have the token) to prevent someone from cracking your gmail account and installing malware or overpriced apps.

  3. Anonymous
    4

    These issues are also listed on the Market directly from the phone…sounds like something that a company wanting to peddle antivirus would want to be on top of.  Maybe even add those warnings to their app.  And make it free.  Oh wait.  Lookout.

  4. Miah Johnson
    5

    I wonder if you also reported on the security issue of Appbrain having a ‘Web Install’ client as well. It worked great until Google made a change to stop the functionality. Its interesting to note considering Google now offers the same feature that they have prevented others from using. Also, Appbrain uses Google login as well and is really a better web marketplace. 

  5. Gilbert Mendoza
    6

    Honestly, I get the point being made, but it’s not a Google or Android Market problem.  It’s the same issue with any system that relys on individuals for their own password protections.  I much prefer to enjoy the benefits of progress and inovation, realizing that no matter how many times you teach people about personal security, they don’t learn until something bad happens.

    But on that note, it would be awesome to have even a paid option for multi-factor authentication with Google services, e.g. RSA SecurID, WiKID, etc.

  6. Anonymous
    7

    I dont think this is something to panic over, however it should be something to be aware of and think about if you have an android phone. Knowledge and being aware is the biggest fight against security issues.

  7. Jim Peak
    8

    THANK YOU for writing this.  I’m an IT professional, but can’t watch everything all the time.  So, wouldn’t have been aware of this, had you not said something.  

    My wife uses a Droid, so now I can give her a heads-up.  THANKS!

     

  8. Anonymous
    9

    The easiest way to avoid things like this is to do what I do…don’t link your Android phone to your Gmail account. This prevents unwanted pesky Market apps from being installed with or without your consent. The majority of the apps available are lame anyway; so why even bother with it.

    ~Just my $0.02

  9. Anonymous
    10

    Just enable the two factor authentication for your google account if you’re worried.  Then, whenever you login via your google account to install remotely to your phone, you’ll have to have your phone on hand to do so in order to install.  Which ironically sort of defeats some of the advantage of remote install if you have to have it with you I guess.  Hmmm..

  10. Anonymous
    11

    Seems like google is already going in that direction.

    Users will be able (optionally) to use an OTP generated from a phone to login on their accounts. That features had been announced recently to be rolled out in next weeks.

     

    more info on this link (not sure if will work for anyone)

    http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284

     

    and here some official words from google:

    http://googleblog.blogspot.com/2011/01/celebrating-data-privacy-day.html

    as you can read about near the end… (quoting) “And pretty soon we’ll be extending the availability of 2-step verification,
    an advanced account security solution that is now helping protect more
    than 1,000 new accounts a day from common problems like phishing and
    password compromise. Right now it’s available to Google Apps Accounts; we’ll be offering it to all users in the next few weeks.”

     

  11. Jim Peak
    12

    C’mon, man- hope you’re joking about the “needing a haircut.”  Why should it matter?  Did Einstein wear socks?  [rhetorical question: I don’t know, & don’t think it matters :) ]

Comments are closed.