November 30, 2011
New research from North Carolina State University shows that some smartphones specifically designed to support the Android mobile platform have incorporated additional features that can be used by hackers to bypass Android’s security features, making them more vulnerable to attack. Android has the largest share of the smartphone market in the U.S.
“Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages,” says Dr. Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the research. “The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential ‘backdoors’ that can be used to give third-parties direct access to personal information or other phone features.”
In essence, these pre-loaded apps can be easily tricked by hackers. For example, these “backdoors” can be used to record your phone calls, send text messages to premium numbers that will charge your account or even completely wipe out all of your settings.
The researchers have tested eight different smartphone models, including two “reference implementations” that were loaded only with Google’s baseline Android software. “Google’s reference implementations and the Motorola Droid were basically clean,” Jiang says. “No real problems there.”
However, five other models did not fare as well. HTC’s Legend, EVO 4G and Wildfire S, Motorola’s Droid X and Samsung’s Epic 4G all had significant vulnerabilities – with the EVO 4G displaying the most vulnerabilities. The full paper, with technical details, is available here.
The researchers notified manufacturers of the vulnerabilities as soon as they were discovered, earlier this year.
“If you have one of these phones, your best bet to protect yourself moving forward is to make sure you accept security updates from your vendor,” Jiang says. “And avoid installing any apps that you don’t trust completely.”
Researchers now plan to test these vulnerabilities in other smartphone models and determine whether third-party firmware has similar vulnerabilities.
The paper, “Systematic Detection of Capability Leaks in Stock Android Smartphones,” will be presented Feb. 7, 2012, at the 19th Network and Distributed System Security Symposium in San Diego, Calif. The paper was co-authored by Jiang and NC State Ph.D. students Michael Grace, Yajin Zhou and Zhi Wang. The research was supported by the National Science Foundation and the U.S. Army Research Office. A video demonstrating how the vulnerabilities work is available here.
NC State’s Department of Computer Science is part of the university’s College of Engineering.
Note to Editors: The study abstract follows.
“Systematic Detection of Capability Leaks in Stock Android Smartphones”
Authors: Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang, North Carolina State University
To-be-presented: February 7, 2012 at the 19th Network and Distributed System Security Symposium (NDSS 2012), San Diego, Calif.
Abstract: Recent years have witnessed a meteoric increase in the adoption of smartphones. To manage information and features on such phones, Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run. In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.