"Significant" security threats found in Android devices

   Features included in some off-the-shelf Android phones contain dangerous vulnerabilities that leave the devices susceptible to infiltration, potentially enabling attackers to bypass security mechanisms and wipe users' data or record conversations, researchers from North Carolina State University warned this week.

   Android phones from leading manufacturers – including HTC, Motorola and Samsung – contain pre-loaded applications that do not properly enforce the platform's permission-based security model, designed to require each app to explicitly request permission from the user to access personal information and phone features.

   The affected apps, which, ironically, were designed to make the smartphones more user friendly, can be exploited by hackers to access and erase user data, send text messages to costly premium-rate numbers or even record a user's conversations, according to a research paper describing the issues.

   “The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential backdoors that can be used to give third-parties direct access to personal information or other phone features,” Xuxian Jiang, an assistant professor of computer science at NC State and co-author of the research paper, said in a news release.

   The researchers developed a tool, called Woodpecker, to identify these so-called “capability leaks,” or situations where an app can gain permission without actually requesting it. They tested eight different smartphone models, including two loaded only with Google's baseline Android software, meaning there were no additional apps loaded.

   Both of those did not contain the flaw. Five other models, however, had “significant vulnerabilities,” including HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G, each of which contained multiple capability leaks. The EVO 4G was found to be most vulnerable.

   “We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today,” the report stated.

   The affected vendors were informed about the issues earlier this year. According to the research paper, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung, however, have been “really slow” in responding to the revelations.

   Representatives from HTC, Motorola and Samsung did not immediately respond when contacted by SCMagazineUS.com on Friday.

   Amit Sinha, CTO at security firm Zscaler, said in a statement sent to SCMagazineUS.com on Thursday that managing the security of Android devices will likely become even more challenging in the future.

   “Android is a complex ecosystem with Google providing the [operating system], device manufacturers adding enhancements, and app developers that do not have to go through a validation process,” he said.

   This is not the first time security flaws have been discovered in Android devices. In October, researcher Trevor Eckhart disclosed a bug affecting certain HTC Android devices that could give any internet-connected application access to users' personal data. HTC has since pushed out a fix.

(责任编辑:)

分享到:

更多
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
  • 微笑/wx
  • 撇嘴/pz
  • 抓狂/zk
  • 流汗/lh
  • 大兵/db
  • 奋斗/fd
  • 疑问/yw
  • 晕/y
  • 偷笑/wx
  • 可爱/ka
  • 傲慢/am
  • 惊恐/jk
用户名: 验证码:点击我更换图片
资料下载专区
图文资讯

英国官员:让华为参与英国5G建设风险可控

西媒:以色列打造网络安全“硅谷”

俄罗斯力推脱离互联网计划 确保应急状态下

GSMA呼吁欧洲守住网络安全和网络基建供应竞

涉嫌窃取近千政界人士信息 德国20岁黑客遭

返回首页 返回顶部