Certain smartphone models running Google’s Android operating system have security flaws that could allow hackers to steal personal information or record conversations, researchers said this week.
In a demonstration at the Black Hat security conference in Abu Dhabi, a UK researcher showed how a vulnerability in the web browser on an HTC Android phone allowed him to install an application that gave him broad control over the phone.
Another method of attack is to get a user to install a seemingly harmless application, which can then be used to access data. The researcher from MWR InfoSecurity showed that the application could re-install itself with greater privileges and give a hacker broad powers, including recording.
The Black Hat presentation was the latest in a series of findings in the past two weeks raising concerns about the security of Android phones, which have overtaken those made by Apple to claim 25 per cent of the global market in the third quarter, according to Gartner.
Another team presented a similar scenario at a security conference in Oregon, using what appeared to be an innocuous application for a popular game – Angry Birds – that in turn installed malicious programs.
“We’ve begun rolling out a fix for this issue, which will apply to all Android devices,” Google said.
“As always, we advise users to only install applications they trust.”
While there have been few reports of criminals using such techniques yet, experts said it was only a matter of time.
Some of the demonstration code produced by researchers is circulating, while a recent analysis of the Android kernel – the core of the operating system – turned up scores of critical bugs, as first reported by the Financial Times.
Most of the attack techniques that have been made public, including those shown at Black Hat, do not work on the latest edition of Android, called version 2.2.
The MWR researcher, a browser expert who uses only the first name Nils, agreed that Google could easily fix the holes he used to break into Android.
But he said that Google’s fragmented model of distribution, which includes multiple handset manufacturers and many carriers, means that some owners of older Android phones will remain exposed for an extended period.