Just last week, a report by ViaForensics said that Google Wallet was writing the history of user transactions to unencrypted database files. While we thought the issue was over, VF once again discovered another Android imperfection—apps performing various things like providing shell access to its remote user! The worst part about this flaw is that it does not ask for any permission from its user.
Generally speaking, once you download an app, you are giving it permission to perform a number of things. But there are some very simple apps that actually do some unseemly tasks. Adding to the fact that there really are some users who do not bother to check the source of their downloaded apps and its developers, they do not bother to check permissions too. Sadly, Google has not taken action to patch this problem and has decided to allow developers to exploit on this unfortunate action.
VF also mentioned that these hacks were already talked about in last year’s Defcon 18. It also coincides with North Carolina State University’s research discovery of the capability leak vulnerability of apps. However, these hacks still work well in all Android versions—including the latest Android 4.0 Ice Cream Sandwich. It just goes to show how unsafe we still are.
Check out the video below to see what types of actions these apps can do even without the permission of its user.
Android No-Permissions Reverse Shell from Thomas Cannon on Vimeo.
Like this post? Share it!