A new version of the Android Market has just been launched, making it possible for every device owner to look for applications, buy or even remotely install apps to an Android device directly from the browser on a desktop computer. Wait, remotely install? Have we misheard something?
No, it’s an official feature of the brand new market. If you use an Android device, it means that you have a GMail account associated with your device, and now you can remotely install any application from the Android store. You just need to:
If your smartphone is connected to the Internet, you will immediately notice that on the device’s screen an install is already taking place. Why is this problem? When installing apps via the market on your phone, you must agree to all the permissions being requested before the app will actually install on your phone. With this new incarnation of the Android Market, those permission are only displayed on the app page within the web interface of the Android Market. After agreeing to these permissions the app is installed without any notifications on your mobile device.
So what? Isn’t that convenient? Yes, for you and for anyone who may gain unauthorized access to your Gmail account. This would allow the attacker the ability to purchase and install any app available within the Android Market.
Apps within the Android Market feature a lot of options, many of which could be used maliciously by an unauthorized third party.
This is just one more reason to create strong passwords, and be ever vigilant about access to your accounts and devices.
We have reached out to Google to discuss this security risk.
We can’t seem to find a way to disable these remote installs from the browser. At the minimum, it’s important that Android users have the ability to turn off this feature.
2011 Feb 04, 08:03
2011 Feb 04, 15:09
> If you use an Android device, it means that you have a GMail account associated with your device
2011 Feb 04, 21:17
The attack doesn't add up.
I need a little more explanation on the hypothetical attack here. First, someone has to compromise a Google account. As it is, that's already about the worst info security incident that could possibly happen in many people's personal affairs if their Google account is also their primary email address. And, it would already allow the attacker to purchase apps in the victim's name on any Android phone the attacker had access to. Now it is supposedly significantly worse, because they could start buying and installing official Android Market apps onto the victim's phone remotely, without them knowing. Well, except that there'd be alerts in the notification bar, and the apps would appear in the app drawer, and they'd be at the top of the "my apps" list in the Market app, and it wouldn't run the app unless the victim manually opened it, but other than all that, the victim would be unaware. So, the attacker has stolen a Google account, and he's installed Market apps remotely on the victim's phone. In some manner completely left to the imagination of the reader here, the attacker can then take advantage of those apps on the victim's phone in order to do more bad things. I'm having trouble imagining what. "A lot of options"? Such as?
Edited by Yar, 2011 Feb 04, 21:30
Re: The attack doesn't add up.
Ok, let's consider attack's benefits and vectors. I'd refrain from assuming people as blindly tossing their main personal email into various dirty places like Web, Market, etc. At least recent researches shown people got a bit smarter in having lots of "sacrifice" email addresses just for such use cases. Hence, I assume only Google acc is compromised, that MAY mean (although not necessarily) GMail acc. If GMail is involved, AND if it's the main person's email... Ok, admittedly he's dead, so and breaking into his Android and his phone's troubles are probably not the worst what will happen to him from now on.
So, let's focus on the case of insignificance of the compromised G-acc. Right, the attacker will spend some (well, LOTS) of victim's money to buy apps on his behalf. But what'd be the benefit to the attacker? I believe not of much significance. Although it's pleasure to use something for free but you can't convert that to any real (and serious) cash. Unless of course, you organise wholesale industry-wide services on the basis of the stolen few-dollars apps... That I don't consider as serious option due to easy chance to get caught with this "business". What else? No personal email access (according to the above scoping of the problem), no banking access, no social networks access, no (etc...). Options? What options?
Re: Re: The attack doesn't add up.
On March 5, 2011, Google acknowledged malware infected Apps in the Android Market (ref: Exploit.AndroidOS.Lotoor.g, and Exploit.AndroidOS.Lotoor.j). What would be a more damaging then someone having you pay for apps installed on your Android, would be having malware infected apps installed on your Android. Having your Android used in a bot-net. Having your Android attempt to infect other Androids in the area. SMS, or dial premium rate numbers with no desktop notification. There is the potential of the user losing more then a couple of dollars from the Android Market download.
I can think of worse, but not by much.