Android Application Allows Remote Access – No Permissions Required

Mobile security researchers at the firm Viaforensics say they have created a malicious mobile application that requires the phone user to grant no permissions during installation, but could give remote attackers the ability to install and execute malicious code on mobile devices running the Android operating system.

Mobile security researchers at the firm Viaforensics say they have created a malicious mobile application that requires the phone user to grant no permissions during installation, but could give remote attackers the ability to install and execute malicious code on mobile devices running the Android operating system.

The “No-permission Android App Remote Shell,” as they are calling it, doesn’t take advantage of a security hole in Google’s Android. Rather, it exploits legitimate functionality that has been known about for a number of years, Viaforensics claimed in a blog post.

The application provides access to a wide range of device features, allowing ViaForensics researchers to extract data about the device, control the application, read data from the SD Card and potentially download other applications or exploits. Upon installation, once the device is locked, it connects to ViaForensics’s control server.

“We are using Android the way it was designed to work, but in a clever way in order to establish a two-way communication channel,” said ViaForensics Director of Research and development, Thomas Cannon.

Cannon goes on to claim that Android’s open nature and its built-in multi-tasking capabilities are the platform’s downfall in this instance.

ViaForensics’s demonstration illustrates that security on the Android platform relies, in part, upon the assumption that third party application developers are on the level.

Other researchers have raised similar arguments about the need for more security to be built into the Android platform. In 2010, researchers from Lookout Security did a presentation at DefCon 18 highlighting the ease with which they were ale to abuse Google’s permissions system, both by performing operations without permission and by granting permissions outside their intended scope.

The Viaforensics application has been tested to work on Android versions from 1.5 to 4.0 Ice Cream Sandwich, which is the code name for the newest Android update.

ViaForensics decided not to place their remote shell app on the Official Android Market and will not release the full technical details of the exploit. Last month, security researcher Dr. Charlie Miller was expelled from Apple Computer’s App Store after uploading a malicious application there.

You can read Cannon’s blog post and watch a short demo video here.

Suggested articles

Discussion

  • RS Orlando, Fl on

    If you swallow a poisoned pill, no vaccine will help your siuation. I can think of one fix: Digitaly signed and securly verified certificates with strong accoutability. I would NEVER pickup something on the street and ingest it; yet we all do it freely by going to the Market Place and trustingly download and install away... 

    Coincidently, I would never download anything on my "Windows" machine without verifying the digital authenticity first and visually verifying the certificate path and signing authority and expiry...

    So where does that leave Google and its linux varient? In the toilet without a brush.

  • Anonymous on

    Not even MS digitally signs all their downloads. You would be quite restricted in what you get if that's your requirement.

  • tantoedge on

    Just look for the signs.  Don't download anything you can't verify with a few taps.

    It doesn't take much to check out some reviews, a website, look for proof that the app isn't just some fly by night hack attack.

  • bubble shooter on

    Hello, I like to find out more about this field. I appreciate you for writing this.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.