New Security Bug In Android Is Capable Of Sending Unauthorized SMS, Eavesdrop On Phone Calls And More
It’s really not been a great week for mobile security. We’ve had the giant mess that is the Carrier IQ debacle, where a company appears to have at least the ability to monitor just about anything to do with a smartphone, and now we have a new Android security flaw that could potentially be just as troublesome.
Researchers from North Carolina State University have discovered that a potential weakness in Google’s Android smartphone operating system could open the door for the recording of calls, the monitoring of the phone’s location and the sending of unauthorized SMS messages.
Phones from the likes of HTC, Motorola, Google and Samsung all posses a security hole which allows untrusted apps to gain accesses to aspects of a smartphone which should be locked out.
When a user downloads an app from the Android Market they are given a list of permissions that the app needs in order to function. If they see a permission that they do not want to grant, they then have the option of cancelling that installation and that is the end of that.
The new research claims that it is possible to bypass the checks, allowing apps access to certain things even though they have not been given express permission by the user.
The key to this appears to be the various skins and overlays manufacturers add to the stock Android experience in order to help them differentiate themselves from the competition, according to the researchers.
The code making the circumvention possible is contained in interfaces and services the device manufactures add to enhance the stock firmware supplied by Google.
In order to show what is possible, the team created a sample Android app which was then allowed to record voice, send an unauthorized SMS message and even restart the phone.
The researchers ran their app on eight different devices to test the differing levels of risk. The HTC EVO 4G was deemed to be the least secure, with Google’s Nexus S and Nexus One faring the best, but still being susceptible to some forms of attack.
The manufacturers in question are aware of the issue, so expect to see fixes arriving as soon as they have cleared up all this Carrier IQ hoopla!