Over A Dozen Android Apps Have Confirmed Vulnerabilities

August 15, 2011

Android has a whole lot of apps in the market. That’s actually one of the many attractions that the platform has. Unfortunately, it seems that these apps are going to be a source of problems for the user. Privateer Labs, a mobile security research center, claims that over a dozen commonly-used Android apps can leave phones vulnerable to phishing and hijacking. Riley Hassell, the founder of Privateer Labs, has already alerted Google to these apps but has publicly refused to name them.

Google, however, is a bit wary about these claims. A Google spokesman has responded that several Android security experts are unconvinced about Privateer Labs’ findings.

The claims of Android security holes were supposed to be backed by a demonstration by Hassell and Shane Macauley, a colleague of his, at the recent Black Hat hacking conference in Las Vegas. The demonstration was cancelled at the last minute because their findings may have already been replicated. Hassell claims that he discovered an Android feature that lets apps respond to other apps being launched – a feature that could conceivably allow a spoof log-in page by a malicious attacker. This attack so another app could be used to mimic a trusted app to steal user credentials.

Another exploit is designed around an Android function that lets other apps use another app’s functions – something which can be used to hijack a phone to listen in on calls or to have them call premium rate numbers or potentially listen into phone calls.

Attacks like these require the malicious app to be downloaded, so careful screening apps should keep users safe. However, the previous history of Android malware isn’t exactly reassuring. Last March, over 50 apps that were stealing personal data were removed from the Android Market, followed by 26 more several months later.

Such malware attacks are only set to rise as Android rises to challenge iOS dominance. So better take a good look at your apps before using them.

 

Source: eWeek Europe

Comments