14 DAY TRIAL // Google’s Android operating system is the most popular mobile OS out there, but also the most targeted when mobile malware is involved.
In fact, FireEye mobile security researchers have discovered that even applications that have normal permission levels could easily prove to be malicious, since they can silently modify icons on the home screen.
Said researches claim that such an app could actually change these icons to redirect users to phishing websites or to the malicious app itself, and that it will do so without notifying the user.
As a recent post on FireEye’s blog explains, Android Open Source Project (AOSP) classifies Android permissions as normal, dangerous, system, signature, and development.
However, while dangerous permissions are displayed to the user, since they require confirmation before proceeding, normal permissions are granted automatically at installation, without asking for approval.
“We have found that certain “normal” permissions have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites,” FireEye explains.
If an app has the ability to manipulate Android home screen icons and malicious intentions, it can help an attacker deceive the user, and this is why the com.android.launcher.permission.INSTALL_SHORTCUT permission was recategorized as dangerous in Android 4.2.
However, icons on the screen can still be manipulated through the use of two other permissions, namely com.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission.WRITE_SETTINGS.
“These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as ‘normal’ since Android 1.x,” the blog post explains.
“As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website.”
The app was tested on Android 4.4.2, the team explains. Google Play will accept such an application, and users won’t be warned when downloading and installing it (both the app and the website it redirected to were removed and no one else downloaded it, the team explains).
Apparently, the vulnerability does not affect only Android devices running AOSP. In fact, non-AOSP launchers were also found to have protection levels for said permissions set to “normal”.
However, Google is said to have acknowledged this issue, and that a patch has been already released to its OEM partners.