Smartphone Users: Malicious Apps Abound

There is a malicious mobile application that requires a phone user to grant no permissions during installation, but could give remote attackers the ability to install and execute malicious code on mobile devices running the Android operating system.

The “No-permission Android App Remote Shell” does not take advantage of a security hole in Google’s Android. Rather, it exploits legitimate functionality known for a number of years, said researchers at security firm Viaforensics.

RELATED STORIES
Data Treasure on Old Smartphones
Looking for a SSL Fix
Targeted Attacks on Rise
Compromise: When to Revoke Certificates

The application provides access to a wide range of device features, allowing ViaForensics researchers to extract data about the device, control the application, read data from the SD Card and potentially download other applications or exploits. Upon installation, once the device locks, it connects to ViaForensics’s control server.

“We are using Android the way it was designed to work, but in a clever way in order to establish a two-way communication channel,” said ViaForensics Director of Research and Development Thomas Cannon.

Android’s open nature and its built-in multi-tasking capabilities are the platform’s downfall in this instance, Cannon said.

ViaForensics said security on the Android platform relies, in part, upon the assumption that third party application developers are on the level.

With smartphones becoming more popular as a work tool, other researchers raised similar arguments about the need for more security on the Android platform.

The Viaforensics application works on Android versions from 1.5 to 4.0 Ice Cream Sandwich, which is the code name for the newest Android update.

ViaForensics decided not to place their remote shell app on the Official Android Market and will not release the full technical details of the exploit.