Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Features included in some off-the-shelf Android phones contain dangerous vulnerabilities that leave the devices susceptible to infiltration.
The gaps also potentially enabled attackers to bypass security mechanisms and wipe users' data or record conversations, according to US researchers at North Carolina State University.
Android phones from leading manufacturers – including HTC, Motorola and Samsung – contain pre-loaded applications that do not properly enforce the platform's permission-based security model, designed to require each app to explicitly request permission from the user to access personal information and phone features.
The affected apps were designed to make the smartphones more user friendly and can be exploited by hackers to access and erase user data, send text messages to costly premium-rate numbers or even record a user's conversations, according to a research paper describing the issues.
“The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential backdoors that can be used to give third-parties direct access to personal information or other phone features,” Xuxian Jiang, an assistant professor of computer science at NC State and co-author of the research paper, said in a news release.
The researchers developed a tool, called Woodpecker, to identify these so-called “capability leaks,” or situations where an app can gain permission without actually requesting it. They tested eight different smartphone models, including two loaded only with Google's baseline Android software, meaning there were no additional apps loaded.
Both of those did not contain the flaw. Five other models, however, had “significant vulnerabilities,” including HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G, each of which contained multiple capability leaks. The EVO 4G was found to be most vulnerable.
“We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today,” the report stated.
The affected vendors were informed about the issues earlier this year. According to the research paper, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung, however, have been “really slow” in responding to the revelations.
Representatives from HTC, Motorola and Samsung did not immediately respond when contacted by SCMagazineUS.com.
Amit Sinha, CTO at security firm Zscaler said managing the security of Android devices will likely become even more challenging in the future.
“Android is a complex ecosystem with Google providing the [operating system], device manufacturers adding enhancements, and app developers that do not have to go through a validation process,” he said.
This is not the first time security flaws have been discovered in Android devices. In October, researcher Trevor Eckhart disclosed a bug affecting certain HTC Android devices that could give any internet-connected application access to users' personal data. HTC has since pushed out a fix.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.