A professor of computer science from the University of California, Davis has been doing research into security vulnerabilities in Android apps and has discovered that some apps are exposing interfaces which could be used for malicious purposes. Although the research is interesting from a software engineering and security point of view, the question for Android users is can these theoretical attacks become real attacks used by either state sponsored hackers or cyber-criminals?
The answer is unfortunately unclear. The research, which was carried out by Professor Su and his graduate students, analysed thousands of apps from Google Play and discovered that some apps like Handcent SMS exposed parts of its internal workings to other apps. These apps, if malicious, could then interfere with the vulnerable app and gain access to private information.
To exploit the vulnerabilities in the apps a real world hacker first needs to convince the user to download his or hers malicious app which is expecting to find the unsafe apps already installed. This can be done by disguising the malicious app as something useful or by using a phishing attack via email, web or SMS. The point is that for these weaknesses to be exposed malware must first be installed.
And here is the key, there are probably dozens of ways that malware can do nasty things on a smartphone once it is installed including sending expensive premium rate SMS messages or intercepting SMS messages related to online banking and so on. Once malware is installed on your device then you have problems. That was equally true before this current research was published.
However what the team from California has shown is that the attack surface is larger than previously thought. The attack surface is how much of a device (including the OS, the apps and the hardware) is open to malicious use by malware. What Professor Su has done is show that it isn’t only weaknesses in the underlying Android OS that can be exploited by malware.
The apps actually listed by Su are Handcent SMS, WeChat (an instant messaging service popular in China) and Weibo (a popular Chinese micro blogging service). There could be more vulnerable apps that have yet to be disclosed by the research team, however we may have to wait as they have submitted a paper on the work to the Systems, Programming, Languages and Applications: Software for Humanity (SPLASH) 2013 conference, which will be held in Indianapolis this October.
As always only download apps from reputable sources like Google Play or the Amazon app store, always look at the permissions requested by an app and check the reviews before going ahead and installing the app.