A team of researchers from North Carolina State University discovered the security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. According to the paper published by the team, the flaw relates to how the Android permission-based security model is enforced and allows permissions granted to a pre-installed app to be 'leaked' to another without user consent.
Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission
The eight smartphones tested by the team were:
- HTC Legend
- HTC EVO 4G
- HTC Wildfire S
- Motorola Droid
- Motorola Droid X
- Samsung Epic 4G
- Google Nexus One
- Google Nexus S
The team used a custom-build scanner called 'Woodpecker' to scan the pre-loaded apps for permissions leaks relating to the following permissions:
The leaks were categorized as follows:
- Explicit capability leaks - Allow an app to successfully access certain permissions by exploiting some publicly-accessible interfaces or services without actually requesting these permissions by itself.
- Implicit capability leaks - Allow the same, but instead of exploiting some public interfaces or services, permit an app to acquire or "inherit" permissions from another app with the same signing key.
Here are the results from the tests:
The researchers called these findings 'worrisome.'
Here's a video demonstration of the permissions leakage in action:
Bottom line, bloatware installed by the handset manufacturers is making Android insecure.
Related: