Security Researcher Discovers Ways That Android Apps Can Maliciously Share Data Without Permissions

Security Researcher Discovers Ways That Android Apps Can Maliciously Share Data Without Permissions

Apr 13, 2012

Ever think that a way to detect if certain Android apps are malware because of suspicious permissions they request access to? Well, apparently that’s not even a reliable indicator at this point, because Paul Brodeur of Leviathan Security has put together a sample app that shows just what trouble an app can cause even without having any permission access at all. It’s possible for any app to have read-only access to the SD card and all the photos, backups, and even sometimes OpenVPN certificates as Brodeur discovered. Second, it’s possible for any app to find out what apps are currently installed on each device and “This feature could be used to find apps with weak-permission vulnerabilities, such as those that were reported in Skype last year.” Third, it’s possible for apps to read GSM and SIM vendor IDs, kernel version, and Android ID.

In order to share this information, apps can use the URI ACTION_VIEW to send this data by opening a web browser by sending it through a URI. These vulnerabilities exist in both Gingerbread and Ice Cream Sandwich. Since updating Android is so difficult for Google, these security vulnerabilities may not be patched for many users for a while – and it may be difficult to tell if an app is taking advantage of them.

Carter Dotson
Carter Dotson, editor of Android Rundown, has been covering Android since late 2010, and the mobile industry as a whole since 2009. Originally from Texas, he has recently moved to Chicago. He loves both iOS and Android for what they are - we can all get along!
Connect with Carter Dotson // email // www