There’s a weakness in the Android operating system that could enable an attacker to install a malicious third-party application on Android devices without the user’s knowledge. A researcher has developed a proof-of-concept app that’s in the Android Market now.
Jon Oberheide, a security researcher who has done extensive research on Android and mobile security, found that on devices running Android 2.0 and higher, he could access a special token on the device that’s used to request permission from the Android Market server to install an application. The token, called the Android service token, is used in place of a username and password each time the Android handset asks permission from the Market server to install an application.
That token isn’t meant to be used by other services or applications on the phone, but Oberheide discovered that he could have an application request that same authorization token and present it to the market server. In this way, he was able to have an application bypass the permission process that Android Market apps present to users when installing an app. That dialog tells the user what processes and information the app has access to on the device, such as location data and network services, for example. Oberheide’s attack doesn’t give the user the option to approve or deny the installation.
“The token has legitimate uses, but you can abuse those same permissions and do things they didn’t intend,” Oberheide said. “I spent a lot of time looking for ways to inject messages into the Gtalk service, and I realized that it was easier just to request this token and have the same functionality without the user approve/deny process.”
Oberheide developed an application disguised as an extension to the popular Angry Birds game. After a user installs the application, it asks for the service token and then installs three separate extensions that each have potentially malicious features. One of the extensions is designed to steal the user’s contacts, another is meant to track the device’s location surreptitiously and the third is designed to send expensive SMS messages in the background.
After the extensions are downloaded, the user is shown a message informing him that nothing malicious happened.
Oberheide, who will present his attack at an internal security conference at Intel tomorrow along with Zach Lanier, said that there isn’t an easy software fix for this bug. He also said that an attacker could likely exploit a bug in another app remotely and execute this same attack afterward.
“It’s tricky,” he said. “This permission is innocuous, usually. They could warn the user that this credential has a lot more permissions than they thought, but most of the uses are legitimate, so they don’t want to scare users. Google could also say that nothing else can request this token that the Market server uses, but it might have a broader impact. It’s not a trivial patch.”
Earlier this year, Oberheide developed a separate proof-of-concept Android app that could bootstrap a rootkit on Android devices. He disguised the app as a preview of the new Twilight movie and put it into the Android Market. Google later removed the app and then remotely removed it from the devices that had it installed.