Vulnerabilities / Threats
11/15/2010
12:07 PM
50%
50%

Fake Angry Birds App Exposes Android Vulnerability

Flaw bypasses a security control, allowing an application to silently download and grant complete access rights to additional apps.

Top 20 Android Productivity Apps
(click image for larger view)
Slideshow: Top 20 Android Productivity Apps

Angry Birds may be a top-selling game for all smartphone platforms, but don't mistake it for the unauthorized Angry Birds Bonus Levels app released by security researcher Jon Oberheide, CTO at Scio Security.

That's because the bonus-levels version for the Android platform isn't a game at all, but rather a proof-of-concept application demonstrating an Android vulnerability discovered by Oberdeide and Zach Lanier, a senior consultant at Intrepidus Group. They detailed their findings at an Intel security conference in Hillsboro, Ore., on Thursday.

"This vulnerability would make it possible for one application to download and launch additional applications from the [Android] Marketplace," said Mikko Hypponen, chief research officer at F-Secure. "To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan."

Android typically requires that a user give explicit permission for an application to access a particular service on the phone, or to install any additional applications. This attack bypasses that security control, allowing an attacker to use one installed application to download and grant complete access rights to additional applications.

For such an attack to work, however, a user would first have to install the malicious application, and then the required, additional malicious applications would have to be already present in the Android Market.

According to Forbes, Google pulled the plug on the bogus application about six hours after it first appeared.

According to a Google spokesperson: "We began rolling out a fix for this issue on Friday, which will apply to all Android devices. As always, we advise users to only install applications they trust."

In June, Oberdeide uploaded to Android Market another application -- ostensibly relating to the Twilight movie franchise -- to illustrate another Android vulnerability he'd discovered. His application demonstrated how an attacker could use Android's GTalkService to "gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device," he said in a blog post at the time.

Google ultimately used its remote kill switch, apparently for the first time, to remove the application from all Android devices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.