Android flaw can disable, corrupt AV tools

Vulnerability in Google's Android OS can be exploited by malicious apps to render users' antivirus scans inoperative and even corrupt such software, security expert warns.

Consumers using Android-powered devices will have another security risk to contend with after a security expert pointed out that a "component" within the operating system (OS) can be exploited to disable installed antivirus software, even corrupting the software to become another malicious app.

Riley Hassell, founder of Privateer Labs, a boutique security firm, told ZDNet Asia during a phone briefing Friday that this issue afflicts a "popular component" of the Android OS, which he declined to disclose as he is scheduled to speak to Google regarding the vulnerability.

According to him, hackers can create malicious apps and publish them on the Android Market as "trusted apps" since the marketplace does not check on the software before they are made available to the masses. Once such apps are installed by a user, they can disable antivirus software on the device by exploiting the component's vulnerability. In some cases, the antivirus software can be corrupted and be utilized as a malicious app for cybercriminals to steal the mobile owner's personal information, he said.

Hassell stressed that this is "definitely an Android problem", adding he had tested the vulnerability on "top-end" mobile antivirus software. That said, the research is not complete and more details will be disclosed to ZDNet Asia in the following weeks and via the Hack in the Box conference to be held in Kuala Lumpur, Malaysia in October.

The security expert also pointed out "app phishing" as another Android-based exploit that is hidden from the spotlight.

Elaborating, Hall said cybercrooks typically trick users into downloading a seemingly real Android app that comes with a Trojan which alerts the developer whenever the user activates the app.

In the case of a banking app, for example, the hacker would wait for the user to sign on to the service and hijack the session by pushing a fake authentication window to steal log-in credentials, he explained. The fake window is closed before the user even knows he has been attacked.

Hall pointed out that this exploit has yet to be seen in the wild, but the loophole is there to be exploited and financial data and other personal information could be lost in such attacks.

Security is community's responsibility
Quizzed if he would be speaking to Google regarding implementing security checks before developers can upload their apps onto the Android marketplace, Hassell said it is "tough" to determine who should be responsible for upholding the security of Android apps.

He admitted that in an ideal world, it would be good for Google to guide developers--particularly consumers that are trying their hand at creating their own mobile apps for the platform--to write secure code. That said, he recognized that this might not be "viable" for the Internet giant from a business perspective.

"This is a tough problem to solve and it needs to be solved as an [Android] community," Hassell surmised.

Chris Wysopal, CTO at Veracode, an application security provider, earlier this year called for Android Market apps to be scanned for traces of malware to protect Android customers from downloading apps that look legitimate but are in fact malicious. "At a minimum, they have to do signature-based scanning for known malware," he said.

This year alone, Google has on at least two occasions revoked apps from its marketplace. It removed over 50 malicious apps from its marketplace in March and followed up with two dozen in June, according to mobile security firm Lookout.