English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The dark side of the new Android Market

Denis
Kaspersky Lab Expert
Posted February 03, 16:22  GMT
Tags: Google Android
0.2
 

A new version of the Android Market has just been launched, making it possible for every device owner to look for applications, buy or even remotely install apps to an Android device directly from the browser on a desktop computer. Wait, remotely install? Have we misheard something?

No, it’s an official feature of the brand new market. If you use an Android device, it means that you have a GMail account associated with your device, and now you can remotely install any application from the Android store. You just need to:

  • log in to the market with your GMail account associated with your smartphone;

  • choose any application you would like to install;
  • click to the ‘Install’ link;
  • carefully read all the permissions required by the application;

  • click on the ‘Install’ link again.
  • If your smartphone is connected to the Internet, you will immediately notice that on the device’s screen an install is already taking place. Why is this problem? When installing apps via the market on your phone, you must agree to all the permissions being requested before the app will actually install on your phone. With this new incarnation of the Android Market, those permission are only displayed on the app page within the web interface of the Android Market. After agreeing to these permissions the app is installed without any notifications on your mobile device.

    So what? Isn’t that convenient? Yes, for you and for anyone who may gain unauthorized access to your Gmail account. This would allow the attacker the ability to purchase and install any app available within the Android Market.

    Apps within the Android Market feature a lot of options, many of which could be used maliciously by an unauthorized third party.

    This is just one more reason to create strong passwords, and be ever vigilant about access to your accounts and devices.

    We have reached out to Google to discuss this security risk.

    We can’t seem to find a way to disable these remote installs from the browser. At the minimum, it’s important that Android users have the ability to turn off this feature.


5 comments

Oldest first
Threaded view
 

ZacharyU cgff

2011 Feb 04, 08:03
-1
 

Android market


Price movements are reflections of what is happening in the economy. In NV, a judge has granted an order stopping home foreclosures by a Bank of America subsidiary. I found this here: Thousands of Nevada foreclosures halted by injunction A total of about 8,900 home foreclosures are affected by this order. This includes currently pending foreclosures. The bank is fighting against this order by citing “harm caused to the public interest.”

Reply    

Van Jone

2011 Feb 04, 15:09
0
 

> If you use an Android device, it means that you have a GMail account associated with your device

Generally, not true although probably may takes place for the majority of owners. More precisely, to use A-Market a) you do have to have Google account but b) that doesn't automatically mean GMail as Gmail <> Google account. That's all from personal experience as I own Android myself and am both a) and b). I did have to shut down my GMail account manually after it was automatically created with Google account, but it's still possible to do if you don't like GMail (and associated with it security holes).

Reply    

Yar

2011 Feb 04, 21:17
0
 

The attack doesn't add up.

I need a little more explanation on the hypothetical attack here. First, someone has to compromise a Google account. As it is, that's already about the worst info security incident that could possibly happen in many people's personal affairs if their Google account is also their primary email address. And, it would already allow the attacker to purchase apps in the victim's name on any Android phone the attacker had access to. Now it is supposedly significantly worse, because they could start buying and installing official Android Market apps onto the victim's phone remotely, without them knowing. Well, except that there'd be alerts in the notification bar, and the apps would appear in the app drawer, and they'd be at the top of the "my apps" list in the Market app, and it wouldn't run the app unless the victim manually opened it, but other than all that, the victim would be unaware. So, the attacker has stolen a Google account, and he's installed Market apps remotely on the victim's phone. In some manner completely left to the imagination of the reader here, the attacker can then take advantage of those apps on the victim's phone in order to do more bad things. I'm having trouble imagining what. "A lot of options"? Such as?

Slow news day in the security business?

Edited by Yar, 2011 Feb 04, 21:30

Reply    

Van Jone

2011 Mar 01, 02:52
0
 

Re: The attack doesn't add up.

Ok, let's consider attack's benefits and vectors. I'd refrain from assuming people as blindly tossing their main personal email into various dirty places like Web, Market, etc. At least recent researches shown people got a bit smarter in having lots of "sacrifice" email addresses just for such use cases. Hence, I assume only Google acc is compromised, that MAY mean (although not necessarily) GMail acc. If GMail is involved, AND if it's the main person's email... Ok, admittedly he's dead, so and breaking into his Android and his phone's troubles are probably not the worst what will happen to him from now on.

So, let's focus on the case of insignificance of the compromised G-acc. Right, the attacker will spend some (well, LOTS) of victim's money to buy apps on his behalf. But what'd be the benefit to the attacker? I believe not of much significance. Although it's pleasure to use something for free but you can't convert that to any real (and serious) cash. Unless of course, you organise wholesale industry-wide services on the basis of the stolen few-dollars apps... That I don't consider as serious option due to easy chance to get caught with this "business". What else? No personal email access (according to the above scoping of the problem), no banking access, no social networks access, no (etc...). Options? What options?

Reply    

ArthurG

2011 Apr 05, 04:30
0
 

Re: Re: The attack doesn't add up.

On March 5, 2011, Google acknowledged malware infected Apps in the Android Market (ref: Exploit.AndroidOS.Lotoor.g, and Exploit.AndroidOS.Lotoor.j). What would be a more damaging then someone having you pay for apps installed on your Android, would be having malware infected apps installed on your Android. Having your Android used in a bot-net. Having your Android attempt to infect other Androids in the area. SMS, or dial premium rate numbers with no desktop notification. There is the potential of the user losing more then a couple of dollars from the Android Market download.

I can think of worse, but not by much.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog