'Significant' holes found in Android phones

Features included in some off-the-shelf Android-based smartphones have been found to contain dangerous vulnerabilities that leave the devices susceptible to infiltration.

The gaps potentially enable attackers to bypass security mechanisms and wipe users' data or record conversations, according to US researchers at North Carolina State University.

The vulnerabilities are the result of applications pre-loaded onto some Android phones from leading manufacturers – including HTC, Motorola and Samsung – that do not properly enforce the platform's permission-based security model.

The model is requires each app to explicitly request permission from the user to access personal information and phone features.

The affected apps were designed to make the smartphones more user friendly but can be exploited by hackers to access and erase user data, send text messages to costly premium-rate numbers or even record a user's conversations, according to a research paper describing the issues.

“The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential backdoors that can be used to give third-parties direct access to personal information or other phone features,” said Xuxian Jiang, an assistant professor of computer science at NC State and co-author of the research paper.

The researchers have developed a tool, called Woodpecker, to identify these so-called “capability leaks”, or situations where an app can gain permission without actually requesting it.

In a test of the software on eight different smartphone models, researchers discovered “significant vulnerabilities" in HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G, each of which contained multiple capability leaks.

The EVO 4G was found to be most vulnerable.

The application test was also applied on two smartphones loaded only with Google's baseline Android software, meaning there were no additional apps loaded.

Both of those did not contain the flaw. 

“We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today,” the report stated.

The affected vendors were informed about the issues earlier this year. According to the research paper, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung, however, have been “really slow” in responding to the revelations.

Representatives from HTC, Motorola and Samsung did not immediately respond when contacted by SCMagazine US.

Amit Sinha, CTO at security firm Zscaler said managing the security of Android devices will likely become even more challenging in the future.

“Android is a complex ecosystem with Google providing the [operating system], device manufacturers adding enhancements, and app developers that do not have to go through a validation process,” he said.

This is not the first time security flaws have been discovered in Android devices. In October, researcher Trevor Eckhart disclosed a bug affecting certain HTC Android devices that could give any internet-connected application access to users' personal data. HTC has since pushed out a fix.

This article originally appeared at scmagazineus.com