A security researcher has built a malicious application that can open a remote shell on Android phones without access permissions.
The application works on stock devices without root or exploit and was successfully tested on the latest Android operating systems 4.0 dubbed Ice Cream Sandwich down to version 1.5.
“Android’s power and flexibility were perhaps also its downfall,” Thomas Cannon, ViaForensics research director and creator of the app said.
“Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user.”
The application can access root data from within the Android sandbox.
It bypasses Android’s permission system that normally alerts users when applications seek to acquire access rights such as internet connectivity.
When installed, it appears to have no access rights.
The Android flaw was detailed (pdf) by Anthony Lineberry at Defcon 18 last year.
Cannon also found that the Android stock email client had stored documents such as mail and pdf files on the SD card despite Google documentation recommending that sensitive information should not be stored on the card.
“Clearly some applications do store information here and perhaps you could see your photos stored here,” Cannon said.
After the application was used to dump information from the phone evidence was wiped using a simple hide command run in the shell.
Cannon said the same functionality used to run the shell also allowed for Android systems to be customised and hardened.
ViaForensics had separately designed for an unnamed client a proof of concept Loadable Kernel Module to pro-actively monitor and defend intellectual property as it passed through Android devices.
“It is no surprise that we have seen adoption of Android research projects in the military and government as [Android] can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.”