Years-old security flaw gives attacker full remote control of Android devices

Shows flaw laid out in detail at Defcon 18 months ago still offers back door to hackers

By  

If the installed app doesn't have permission to access the Internet, it can launch a browser, which does. It can be set to launch the browser only when the screen is off and the phone is otherwise inactive, to keep activity covert.

It can also load its own URI receiver, which would allow it to communicate back and forth with a web site without having to launch a separate browser, the presentation said (PDF of slides, m4v video).

It can also make itself far more unkillable with the "Circle of Death" takeover tactic, in which the application runs as an Activity with a rejuvenation feature built into its shutdown process.

If the user kills the malicious Activity, on the way down it launches a Service that relaunches the original Activity, according to the Lookout presentation.

The No-permissions Reverse Shell – the app Cannon wrote to exploit the weakness – doesn't do anything wrong from the point of view of Android's security.

"We’ve exploited the Android Web Browser, although we are not exploiting a vulnerability due to bad coding, but rather using the functionality it legitimately offers to other applications," Cannon wrote.

The exploit is not malware or a virus. It wouldn't be caught by the kind of malware screen Apple gives iPhone apps in its App Store.

The exploit takes advantage of the assumption that apps will be honest in the requests they make for permission, that users will double-check what permissions they want and that none of the apps will do anything beyond the strict boundaries of the user's own expectations.

In a smartphone market in which even the carriers install high-functioning spyware to keep an eye on end users, that approach is painfully naïve.

Cannon wasn't trying to criticize Android security, or to crack it.

He was trying to prompt more discussion about how to structure permissions for Android apps and get users to pay attention.

That's a lost cause. Users won't pay attention. They can't or won't be responsible for their own security.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question