Vulnerabilities / Threats
11/15/2010
12:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Fake Angry Birds App Exposes Android Vulnerability

Flaw bypasses a security control, allowing an application to silently download and grant complete access rights to additional apps.

Top 20 Android Productivity Apps
(click image for larger view)
Slideshow: Top 20 Android Productivity Apps

Angry Birds may be a top-selling game for all smartphone platforms, but don't mistake it for the unauthorized Angry Birds Bonus Levels app released by security researcher Jon Oberheide, CTO at Scio Security.

That's because the bonus-levels version for the Android platform isn't a game at all, but rather a proof-of-concept application demonstrating an Android vulnerability discovered by Oberdeide and Zach Lanier, a senior consultant at Intrepidus Group. They detailed their findings at an Intel security conference in Hillsboro, Ore., on Thursday.

"This vulnerability would make it possible for one application to download and launch additional applications from the [Android] Marketplace," said Mikko Hypponen, chief research officer at F-Secure. "To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan."

Android typically requires that a user give explicit permission for an application to access a particular service on the phone, or to install any additional applications. This attack bypasses that security control, allowing an attacker to use one installed application to download and grant complete access rights to additional applications.

For such an attack to work, however, a user would first have to install the malicious application, and then the required, additional malicious applications would have to be already present in the Android Market.

According to Forbes, Google pulled the plug on the bogus application about six hours after it first appeared.

According to a Google spokesperson: "We began rolling out a fix for this issue on Friday, which will apply to all Android devices. As always, we advise users to only install applications they trust."

In June, Oberdeide uploaded to Android Market another application -- ostensibly relating to the Twilight movie franchise -- to illustrate another Android vulnerability he'd discovered. His application demonstrated how an attacker could use Android's GTalkService to "gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device," he said in a blog post at the time.

Google ultimately used its remote kill switch, apparently for the first time, to remove the application from all Android devices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.