Video: Security vendor demonstrates Android exploits

Rich Fiscus
21 Sep 2011 15:41

Jon Oberheide of Duo Security has released a video demonstrating two security vulnerabilities which could allow apps to take control of Android devices.
The video was created to generate interest in the firm's upcoming workshop on mobile security at the SOURCE security conference in Barcelona this November.

Last year Oberheide was responsible for exposing a weakness in Google's Android Marketplace, which allowed the remote installation of malicious code from within an app.
The first vulnerability demonstrated in the new video affects all Android devices. It allows an already installed app to install other apps without prompting the user to approve their permissions.

He says this problem can also be exploited by an attack which compromises an otherwise safe app after it has been installed.

The second attack demonstrated would allow an app to gain full control over an Android device by using a Linux kernel exploit which bypasses security permission limitations.

While Google's lack of control over Android vendors and handsets has been instrumental in its success, it also poses significant security challenges. By ceding control over the application of updates to Android devices, Google has created a system where commercial factors may outweigh the best interests of consumers.

Even if Samsung, HTC, or Motorola believes it is in their best interest to offer immediate updates, in many cases their decisions may be overruled by a carrier whose primary interest is ensuring control over customers' phones.