14 DAY TRIAL // A “fake” Angry Birds application that was disguised as an expansion for the original game has been developed by Jon Oberheide, Chief Technology officer of Scio Security, with the sole purpose of proving the liabilities of the Android security system.
Users that would download the application from Android Market would get three more applications silently downloaded and installed on their device without any notice whatsoever.
The three “extra” apps gain permissions to perform malicious activities, but the developer stated that these were benign. These applications were named Fake Location Tracker, Fake Toll Fraud and Fake Contact Stealer, just to prove what they could do.
“In the past, we’ve focused on the issue of users not paying attention to what permissions they’re approving for their apps,” said Oberheide. “But in cases like this, the attacker can bypass those permissions and it’s very difficult for users to protect themselves at all.”
Oberheide, who was scheduled to present his research on Android vulnerability at Intel's annual internal security conference in Hillsboro last week, had his spoofed Angry Birds app pulled from the market by Google, one day before he had the chance to make his presentation.
An unnamed Google official said that the company already rolled out a fix for the issue, which is available for all Android devices.
In an interview for CNET, Jon Oberheide stated that “to accomplish the proof-of-concept exploit, the fake app was written to abuse the credentials service that Android has for allowing apps to request authorization tokens”.
“For it to work, a user had to first grant credentials to the suspicious app, according to an industry source. Meanwhile, the additional app installations would have appeared in the phone notifications, ostensibly alerting a user to the installation,” added Oberheide.
Those that installed Oberheide's application without knowing that it's “fake” should not be worried that their sensitive information has been compromised, as the developer only wanted to demonstrate the security flaw by providing a POC (proof of concept), not take advantage of it.
