Vulnerabilities / Threats
11/15/2010
12:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Fake Angry Birds App Exposes Android Vulnerability

Flaw bypasses a security control, allowing an application to silently download and grant complete access rights to additional apps.

Top 20 Android Productivity Apps
(click image for larger view)
Slideshow: Top 20 Android Productivity Apps

Angry Birds may be a top-selling game for all smartphone platforms, but don't mistake it for the unauthorized Angry Birds Bonus Levels app released by security researcher Jon Oberheide, CTO at Scio Security.

That's because the bonus-levels version for the Android platform isn't a game at all, but rather a proof-of-concept application demonstrating an Android vulnerability discovered by Oberdeide and Zach Lanier, a senior consultant at Intrepidus Group. They detailed their findings at an Intel security conference in Hillsboro, Ore., on Thursday.

"This vulnerability would make it possible for one application to download and launch additional applications from the [Android] Marketplace," said Mikko Hypponen, chief research officer at F-Secure. "To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan."

Android typically requires that a user give explicit permission for an application to access a particular service on the phone, or to install any additional applications. This attack bypasses that security control, allowing an attacker to use one installed application to download and grant complete access rights to additional applications.

For such an attack to work, however, a user would first have to install the malicious application, and then the required, additional malicious applications would have to be already present in the Android Market.

According to Forbes, Google pulled the plug on the bogus application about six hours after it first appeared.

According to a Google spokesperson: "We began rolling out a fix for this issue on Friday, which will apply to all Android devices. As always, we advise users to only install applications they trust."

In June, Oberdeide uploaded to Android Market another application -- ostensibly relating to the Twilight movie franchise -- to illustrate another Android vulnerability he'd discovered. His application demonstrated how an attacker could use Android's GTalkService to "gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device," he said in a blog post at the time.

Google ultimately used its remote kill switch, apparently for the first time, to remove the application from all Android devices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.