Mobile security researchers at the firm Viaforensics say they have created a malicious mobile application that requires the phone user to grant no permissions during installation, but could give remote attackers the ability to install and execute malicious code on mobile devices running the Android operating system.
The “No-permission Android App Remote Shell,” as they are calling it, doesn’t take advantage of a security hole in Google’s Android. Rather, it exploits legitimate functionality that has been known about for a number of years, Viaforensics claimed in a blog post.
The application provides access to a wide range of device features, allowing ViaForensics researchers to extract data about the device, control the application, read data from the SD Card and potentially download other applications or exploits. Upon installation, once the device is locked, it connects to ViaForensics’s control server.
“We are using Android the way it was designed to work, but in a clever way in order to establish a two-way communication channel,” said ViaForensics Director of Research and development, Thomas Cannon.
Cannon goes on to claim that Android’s open nature and its built-in multi-tasking capabilities are the platform’s downfall in this instance.
ViaForensics’s demonstration illustrates that security on the Android platform relies, in part, upon the assumption that third party application developers are on the level.
Other researchers have raised similar arguments about the need for more security to be built into the Android platform. In 2010, researchers from Lookout Security did a presentation at DefCon 18 highlighting the ease with which they were ale to abuse Google’s permissions system, both by performing operations without permission and by granting permissions outside their intended scope.
The Viaforensics application has been tested to work on Android versions from 1.5 to 4.0 Ice Cream Sandwich, which is the code name for the newest Android update.
ViaForensics decided not to place their remote shell app on the Official Android Market and will not release the full technical details of the exploit. Last month, security researcher Dr. Charlie Miller was expelled from Apple Computer’s App Store after uploading a malicious application there.
You can read Cannon’s blog post and watch a short demo video here.