North Carolina State University researchers say some Android smartphone makers' efforts to go above and beyond the Google mobile platform's basics open their devices to security breaches.
"Some of these preloaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," says Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the research. "The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third parties direct access to personal information or other phone features."
Hackers could trick the apps into recording your phone calls or wiping out your settings, says Jiang, whose team used a tool dubbed "Woodpecker" to detect vulnerabilities.
Such smartphone flaws are welcome news to hackers, who see Android phones as an increasingly juicy target: Gartner says more than half of the smartphones sold worldwide in the third quarter run Android, and that's double the number from the third quarter last year.
Vendors such as McAfee and Juniper Networks have recently released study results showing a boom in malware targeting Android devices, though Google has countered that some vendors may just be trying to roil up the market to sell more of their security wares.
NC State researchers have had their eyes on Android security for some time. Network World spoke with Xuxian Jiang in April about an effort to defend Android users from privacy thieves. The NC State team's privacy mode software, dubbed Taming Information-Stealing Smartphone Applications (TISSA), would give Android users more control over what information they divulge to makers of third party apps, both at the time of downloading the app and while it's running.
Based on NC State's latest research, on eight different smartphone models, Motorola Droid and plain Google reference implementations fared best. However, HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G all showed significant vulnerabilities. NC State researchers say they notified manufacturers about the holes earlier this year.
The research, supported by the National Science Foundation and US Army Research Office, will be presented at the Network and Distributed System Security Symposium.