If you follow the Google Android operating system scene, you will probably have heard about the new, web-based Android Market store which was launched a few days ago.
The Android Market website allows the user to browse, search and install Android apps using an alternative to the standard device Android Market app that comes on smartphones.
The user is simply required to sign in with their standard Google credentials and the application will retrieve the details of Android devices registered in your name as well as the details of all the Market applications you have already installed.
Once the user signs in to Android Market the application install is available at the click of a button.
I wanted to see what happens on the device when a request to install a new app is submitted from the web-based store.
I logged into the Android Market and found an application suitable for testing: a popular game that made me waste some time last year when I first played it on an iPhone. This seemed a good opportunity to test its usability on the Android OS too. :)
The most important security aspect of the installation process on Android are the permissions an app requires on a device after the installation. Android users should particularly carefully read the required permissions before they install any applications, from the official Android Market or any other source.
For example, a game which requests unusual permissions such as SEND_SMS or RECEIVE_SMS should be considered highly suspicious and installed only if the user is certain about its functionality.
As expected, the web-based Android Market displays the required permissions so that the user can make an informed decision about whether to install the application.
However, the next step in the installation is where a big red security flag is raised. Once the user clicks on the install button on the website, the mobile device will automatically start downloading the application in the background.
This probably happens using the INSTALL_ASSET intent discovered last year by Jon Oberheide when Google used the Android’s GTalkService mechanism to remotely remove a test Trojan application created by the researcher.
In summary – if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself.
The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence.
In future, however, the phishers’ intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user’s Android devices instead.
Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.
Let us hope that the update will come in time to prevent cybercriminals abusing the Android Market for the automatic installation of malicious software.
In the meantime, users should choose a strong password for their Google applications account. If you are not sure how to do that try watching this video for advice on choosing a unique, complex but easy-to-remember password:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)