(LiveHacking.Com) – A group of researchers from North Carolina State University have discovered [PDF] flaws in non-vanilla versions of Android which leak permissions or capabilities to other applications. By exploiting these leaked capabilities a 3rd party app can send SMS messages, record calls and even reboot the phone without asking for any permission.
Unlike Apple who strictly control their App Store and offer only one source for downloads, Android has multiple app stores and none of them, including the official Google Market, perform any kind of security checks on the apps made available for download. This means that when vulnerabilities are discovered in Android, hackers are free to upload apps to the Android Market which exploit the weaknesses.
To combat this, Android uses a permissions model where any app wanting to do something extra (including connecting to the Internet) needs to ask permission from the user. The model is severely flawed as most non-technical people have no idea what these permissions mean and normally just accept them anyway.
Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang have discovered that non-vanilla versions of Android come with extra pre-loaded apps and that these bundled apps have access to some permissions that are too privileged to be granted to third-party apps.
The team built an app called Woodpecker which scans the pre-loaded apps to see which apps offer a public interface exposing a capability that would normally require permission. They also use another technique to find “implicit capabilities” among apps signed with the same user identifier.
The researchers analyzed eight popular Android (2.2 and 2.3 based) smartphones (HTC
Legend, HTC EVO 4G, HTC Wildﬁre S, Motorola Droid and Droid X, Samsung Epic 4G and the Google Nexus One & Nexus S) and discovered 11 privileged permissions that are “leaked”. One phone, the HTC EVO 4G, leaks eight permissions.
In a video posted on YouTube Michael Grace demonstrates the installation of the Woodpecker app (which required no special permissions) and then how the app was able to record sounds (including phone calls), send an SMS message (which could have been to a premium phone number) and reboot the device without asking.
“The results are worrisome: among the 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission” say the report authors.