December 22, 2011, 1:39 PM — A security researcher has discovered an Android security flaw revealed in detail 18 months ago still exists and still offers an easy way for attackers to take root control of even updated Android devices without getting permission or passwords from the owner.
The flaw is a weakness in the assumptions Android developers made in creating the permissions-based security model on which Android devices depend, according to Thomas Cannon, R&D director at digital security company viaForensics, who posted a demonstration of his exploit yesterday.
Rather than having to install a virus or rootkit, attackers could build or adapt a legitimate app that, when installed, tells Android it is responsible for executing all code starting with a specific prefix – app://, for example.
When the app runs, it calls a particular web site that forwards the request to a second URL that begins with the prefix the malicious app already registered.
Android allows the code to download and allows the malicious app to execute the code because both have already registered with Android security as legitimate.
The prefix on files or messages accessible via the Internet creates the potential for two-way communication between the malicious app and a controller that gives the controller the ability to execute any Android command, access functions of many apps running on the Android device and run almost any code the controller decides to download, according to Cannon's demo.
The security hole is built in to Android's security framework, which allows apps being installed to register their own permissions using an XML file that tells Android what permissions it needs in order to operate and what permissions other apps need to call on its own functions.
Malicious apps can install with few or no permissions, but accomplish anything they want by calling either Android or other apps to provide them, according to a presentation on the security flaw made at the Defcon18 security conference in July, 2010 by Lookout Security's Anthony Lineberry, David Luke Richardson and Tim Wyatt.