ADVERTISEMENT
Filtered By: Scitech
SciTech

Android glitch allows eavesdropping, data theft


+
Add GMA on Google
Make this your preferred source to get more updates from this publisher on Google.
A glitch in the security of Google's Android operating system may allow hackers to snatch data, monitor geolocation, send SMS messages, and even eavesdrop on conversations in some smartphones running Android, security researchers claimed.
 
The researchers from North Carolina State University found the glitches in eight handsets from HTC, Motorola, Samsung and Google, computer security firm Sophos said.
 
"The glitchy code lies within interfaces and services added by the phone manufacturers to beef up stock firmware from Google," Sophos said in a blog post.
 
Sophos said the researchers found eight Android smartphones they tested and found to be at risk:
 
HTC:
  • Legend
  • EVO 4G
  • Wildfire S
 
Motorola:
  • Droid
  • Droid X
 
Samsung:
  • Epic 4G
 
Google:
  • Nexus One
  • Nexus S
 
Citing the paper, Sophos said the researchers found "explicit capability leaks" that would allow hackers to bypass key security defenses of Android.
 
It said these defenses would require users to grant permission to apps before those apps gain access to personal information and functions such as texting.
 
Sophos said the researchers were surprised to learn some manufacturers do not properly enforce the permission-based security model.
 
"Specifically, several privileged (or dangerous) permissions that protect access to sensitive user data or phone features are unsafely exposed to other apps which do not need to request these permissions for the actual use," it quoted the researchers as saying.
 
These capability leaks constitute "a tangible security weakness for many Android smartphones in the market today," the researchers said.
 
Also, they noted that the snazzier the phone, the buggier the picture, since more pre-loaded apps are present means a greater chance the gadget is to have explicit capability leaks.
 
On the other hand, Sophos noted the researchers said the tool they used to validate the smartphones, which they dubbed Woodpecker, has its own limitations.
 
Woodpecker is also limited to handling 13 defined permissions, although many more exist, and apps are free to define new ones.
 
"Extending the system to handle more predefined permissions is expected to produce much the same results," the researchers said.
 
Chained leaks
 
Sophos said the researchers raised the possibility of chained capability leaks, where a permission might be safely passed from one app to a second app, which then unsafely passes it on along to a third app.
 
They also said there may be even more bugs among third-party apps, as they examined only pre-loaded apps in the smartphones' firmware.
 
The researchers said capability leaks — particularly explicit ones — on phone images "are of great interest to malicious third parties."
 
Implicit leaks are fairly rare, and more likely tied to software engineering defects than constituting actual security risks, they said.
 
But implicit leaks could be due for their day in the sun when it comes to third-party apps, since they could open the smartphones up to "collusion attacks," Sophos quoted the researchers as saying. — TJD, GMA News