The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn’t the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users’ phones as well.
Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users’ phones.
“I don’t know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it’s easy to have the install mechanism too,” Oberheide said in an interview. “I don’t know if they’ve used it yet.”
Oberheide created a program called RootStrap, which he described as a proof-of-concept application to show how an attacker could bootstrap a rootkit on a mobile device. He then posted a benign version of the app on the Android Market under the name “Twilight Eclipse Preview” as a way to get users to download it. About 200 people installed the application, which periodically contacts a remote server to pull down native ARM code. In a real-world attack, that code would be malicious payloads, but in the benign version that Oberheide posted, it did nothing.
During his research, Oberheide had found out about the remote-wipe functionality in Android, called REMOVE_ASSET. After he spoke publicly about RootStrap, Google asked him to remove the app from the Market, which he did. A short time later, he saw a noitification on his Android phone telling him that the app had been removed from the device. This was the first time that Google had used the functionality, Google said in a blog post this week.
“The remote application removal feature is one of many security controls
Android possesses to help protect users from malicious applications. In
case of an emergency, a dangerous application could be removed from
active circulation in a rapid and scalable manner to prevent further
exposure to users. While we hope to not have to use it, we know that we
have the capability to take swift action on behalf of users’ safety when
needed,” Google’s Rich Cannings, the Android security lead, wrote.
Oberheide said that during his discussion with Cannings he got the sense that Google was working hard on the security aspects of Android and the Market itself.
“They’re doing a good job, but there’s certainly stuff that they could tighten up on,” he said. “There are some security concerns that come along with the open marketplace, but I think that’s just part of their model, and they’re committed to this open model.”
Many, if not most, Android owners likely had no idea that the REMOVE_ASSET function existed, and Google’s use of it generated quite a bit of publicity and concerns about privacy and security for Android owners. However, Oberheide, the co-founder of startup Scio Security and a PhD candidate at the University of Michigan, said that wasn’t nearly as interesting as the other half of the equation.
“Now, the Android platform not only allows for the removal of
applications remotely via the REMOVE_ASSET intent, but also allows for
the installation of new applications via the INSTALL_ASSET intent. If
some people are upset that Google retains the ability to kill
applications remotely (I personally prefer the potential security gains
of the functionality), I fear what they’d think of the INSTALL_ASSET
feature,” he wrote in a blog post explaining his research and the removal and install features.
The INSTALL_ASSET feature raises a number of privacy and security questions, particularly the question of what rights the software maker has to modify the code on users’ devices. Code changes, in the form of patches and feature updates, are obviously commonplace and most users give little thought to the changes. But few customers likely have contemplated the possibility of Google, Apple, Microsoft or another vendor forcing the installation of a new application on their phones.
“While remotely removing apps might ruffle the feathers of people who
like the feeling of having full control over their device, the remote
install functionality is of more concern from a security perspective. As I mention on slide #14, if an attacker is able to MITM this SSL
GTalkService connection for a particular device, it may be possible to
spoof these INSTALL_ASSET messages to deliver a malicious application
payload. If Google’s GTalkService servers were compromised, the
malicious impact would obviously be a bit more widespread,” Oberheide wrote.