Internet security researchers have discovered two bugs in Google’s Android operating system that might allow attackers to install malware. The more serious of the bugs was demonstrated in a proof-of-concept app that was disguised as an expansion for the popular game Angry Birds.
The researchers, Jon Oberheide and Zach Lanier, created the fake app to demonstrate the threat. When downloaded, the app installed three additional apps that access the user’s phone contacts, location information and SMS functionality. The data could then be transmitted to a remote server.
The proof-of-concept works by exploiting weaknesses in Android’s token system, which Android uses to authenticate users. “It abuses that token to perform the same actions the legitimate Market app would perform, but without asking for permission,” Oberheide said to the Register. “Through some of the research, we realized we could use this one specific token for the Android service to bypass the restrictions on the permission system.”
The threat is significant, as the Android OS has become one of the most popular for mobile phones. According to PC World, the Android OS makes up 25.5 percent of the mobile OS market, second only to Nokia’s Symbian.