Angry Birds may be a top-selling game for all smartphone platforms, but don't mistake it for the unauthorized Angry Birds Bonus Levels app released by security researcher Jon Oberheide, CTO at Scio Security.
That's because the bonus-levels version for the Android platform isn't a game at all, but rather a proof-of-concept application demonstrating an Android vulnerability discovered by Oberdeide and Zach Lanier, a senior consultant at Intrepidus Group. They detailed their findings at an Intel security conference in Hillsboro, Ore., on Thursday.
"This vulnerability would make it possible for one application to download and launch additional applications from the [Android] Marketplace," said Mikko Hypponen, chief research officer at F-Secure. "To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan."
Android typically requires that a user give explicit permission for an application to access a particular service on the phone, or to install any additional applications. This attack bypasses that security control, allowing an attacker to use one installed application to download and grant complete access rights to additional applications.
For such an attack to work, however, a user would first have to install the malicious application, and then the required, additional malicious applications would have to be already present in the Android Market.
According to Forbes, Google pulled the plug on the bogus application about six hours after it first appeared.
According to a Google spokesperson: "We began rolling out a fix for this issue on Friday, which will apply to all Android devices. As always, we advise users to only install applications they trust."
In June, Oberdeide uploaded to Android Market another application -- ostensibly relating to the Twilight movie franchise -- to illustrate another Android vulnerability he'd discovered. His application demonstrated how an attacker could use Android's GTalkService to "gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device," he said in a blog post at the time.
Google ultimately used its remote kill switch, apparently for the first time, to remove the application from all Android devices.