A team of researchers from North Carolina State University discovered the security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. According to the paper published by the team, the flaw relates to how the Android permission-based security model is enforced and allows permissions granted to a pre-installed app to be 'leaked' to another without user consent.
Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission
The eight smartphones tested by the team were:
The team used a custom-build scanner called 'Woodpecker' to scan the pre-loaded apps for permissions leaks relating to the following permissions:
The leaks were categorized as follows:
Here are the results from the tests:
The researchers called these findings 'worrisome.'
Here's a video demonstration of the permissions leakage in action:
Bottom line, bloatware installed by the handset manufacturers is making Android insecure.
Related: