Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010. Not only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a website in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely – including top-of-the-line models hawked by major wireless carriers.
In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.
In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.
The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.
The best way to distribute malware that could exploit the flaw – known as CVE-2009 1185 – is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."
CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.
But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.
When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.
But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says. Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous websites to mask where the data is being sent, Wyatt says.
The best course for users is to beware the applications they buy and if they are suspicious, not to download the apps, Lineberry says.
Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.
Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.