The issue was reported to Google in February and the company started blocking some of the things an attacker could do, Young said.
For example, an attacker authenticated via a weblogin token can no longer use the Google Takeout service to get a data dump for an entire Google Account and can no longer add new Google Apps users, although there is a workaround that still makes the latter action possible, Young said.
Young's app displays the weblogin permission prompt because it uses the standard Android API (application programming interface) to get the token. However, if the app used an exploit to get root privileges on the device, it would be able to grab the token without requiring user confirmation, he said.
The app stayed in Google Play for around a month until someone probably reported it as malicious, and during this time there was no indication it had been scanned by Bouncer, a Google Play service that searches for malicious apps in the marketplace, the researcher said. If it was scanned, then it wasn't flagged as malicious, which raises questions about Bouncer's effectiveness, he said.
After it was reported as malicious, the app was removed from Google Play, and Android's local app verification feature now blocks it as spyware when trying to install it.
Google did not respond to a request for comment sent Thursday.
Most Android antivirus products from well known vendors didn't detect the app as malware either, but one privacy advisor application did list the rogue app as having account access, Young said.
"Today's presentation showed that with enough ingenuity and effort you can easily bypass apparently well protected systems," said Alexandru Catalin Cosoi, the chief security strategist at antivirus vendor Bitdefender, who attended Young's talk.
The only way to prevent these things from happening is to raise the cost of attacks, so that by the time one lock is bypassed, there is a new lock in place that needs to be breached, Cosoi said. Vulnerabilities can be found on a regular basis, so continuous research definitely helps in improving systems like Google Bouncer, making attacks more costly for hackers to pull off, he said.
Businesses shouldn't allow their IT administrators to use Google accounts on their Android devices that are also Google Apps domain administrators, Young said.
Users should be wary of apps that request access to accounts added on the device and should answer "no" to permission prompts containing the words "weblogin" or "ID," he said.
Google should create an option to allow Google Apps domain owners to block Google Apps access via weblogin and should make the weblogin prompts more informative so that users understand what they do, the researcher said.