Vulnerabilities / Threats
11/15/2010
12:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Fake Angry Birds App Exposes Android Vulnerability

Flaw bypasses a security control, allowing an application to silently download and grant complete access rights to additional apps.

Top 20 Android Productivity Apps
(click image for larger view)
Slideshow: Top 20 Android Productivity Apps

Angry Birds may be a top-selling game for all smartphone platforms, but don't mistake it for the unauthorized Angry Birds Bonus Levels app released by security researcher Jon Oberheide, CTO at Scio Security.

That's because the bonus-levels version for the Android platform isn't a game at all, but rather a proof-of-concept application demonstrating an Android vulnerability discovered by Oberdeide and Zach Lanier, a senior consultant at Intrepidus Group. They detailed their findings at an Intel security conference in Hillsboro, Ore., on Thursday.

"This vulnerability would make it possible for one application to download and launch additional applications from the [Android] Marketplace," said Mikko Hypponen, chief research officer at F-Secure. "To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan."

Android typically requires that a user give explicit permission for an application to access a particular service on the phone, or to install any additional applications. This attack bypasses that security control, allowing an attacker to use one installed application to download and grant complete access rights to additional applications.

For such an attack to work, however, a user would first have to install the malicious application, and then the required, additional malicious applications would have to be already present in the Android Market.

According to Forbes, Google pulled the plug on the bogus application about six hours after it first appeared.

According to a Google spokesperson: "We began rolling out a fix for this issue on Friday, which will apply to all Android devices. As always, we advise users to only install applications they trust."

In June, Oberdeide uploaded to Android Market another application -- ostensibly relating to the Twilight movie franchise -- to illustrate another Android vulnerability he'd discovered. His application demonstrated how an attacker could use Android's GTalkService to "gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device," he said in a blog post at the time.

Google ultimately used its remote kill switch, apparently for the first time, to remove the application from all Android devices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.