Wednesday a proof-of-concept app was uploaded and made available on the Android Market that took advantage of two serious flaws recently discovered in the Android OS.
Disguised as an Angry Birds expansion, the app silently installed three additional apps without the need for user authorization. The hidden apps also had the ability to gain access to the user's phone contacts, location information and SMS functionality. They could also transmit the data to a remote server.
Scio Security CTO Jon Oberheide--one of the two researchers who discovered and exploited the Android vulnerability--said that it took Google about six hours to discover and pull the bogus app. The next step will be to "lock down" the special security tokens Google uses so that users don't have to expose passwords to 3rd-party services. The proof-of-concept code works by exploiting weaknesses in that Android token system.
"It abuses that token to perform the same actions the legitimate Market app would perform, but without asking for permission," Oberheide told The Register. "Through some of the research, we realized we could use this one specific token for the Android service to bypass the restrictions on the permission system."
Oberheide and colleague Zach Lanier--a senior consultant at Intrepidus Group--plan to provide more details at an internal security conference scheduled for Thursday at Intel's Oregon campus.
Previously Oberheide released a pair of apps on the Android Market back in June that forced Google to use its then-secret remote kill switch. The apps demonstrated how hackers can simply use Market to bootstrap a rootkit onto Android phones.