New Android Market web store could open backdoor for phone hackers

Filed Under: Android, Google, Malware, Mobile, SophosLabs

Android MarketIf you follow the Google Android operating system scene, you will probably have heard about the new, web-based Android Market store which was launched a few days ago.

The Android Market website allows the user to browse, search and install Android apps using an alternative to the standard device Android Market app that comes on smartphones.

The user is simply required to sign in with their standard Google credentials and the application will retrieve the details of Android devices registered in your name as well as the details of all the Market applications you have already installed.

Once the user signs in to Android Market the application install is available at the click of a button.

Android Market

I wanted to see what happens on the device when a request to install a new app is submitted from the web-based store.

I logged into the Android Market and found an application suitable for testing: a popular game that made me waste some time last year when I first played it on an iPhone. This seemed a good opportunity to test its usability on the Android OS too. :)

The most important security aspect of the installation process on Android are the permissions an app requires on a device after the installation. Android users should particularly carefully read the required permissions before they install any applications, from the official Android Market or any other source.

For example, a game which requests unusual permissions such as SEND_SMS or RECEIVE_SMS should be considered highly suspicious and installed only if the user is certain about its functionality.

Papertoss installation screen

As expected, the web-based Android Market displays the required permissions so that the user can make an informed decision about whether to install the application.

However, the next step in the installation is where a big red security flag is raised. Once the user clicks on the install button on the website, the mobile device will automatically start downloading the application in the background.

This probably happens using the INSTALL_ASSET intent discovered last year by Jon Oberheide when Google used the Android's GTalkService mechanism to remotely remove a test Trojan application created by the researcher.

In summary - if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself.

The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence.

In future, however, the phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead.

Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.

Let us hope that the update will come in time to prevent cybercriminals abusing the Android Market for the automatic installation of malicious software.

In the meantime, users should choose a strong password for their Google applications account. If you are not sure how to do that try watching this video for advice on choosing a unique, complex but easy-to-remember password:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

, , , ,

You might like

28 Responses to New Android Market web store could open backdoor for phone hackers

  1. Alex · 1703 days ago

    great article i dont understand why we all continue to sacrifice security for convenience, your solution of a one more step definitely seems more than reasonable. I would think at the very least you would have to opt out of this. Are the android apps scanned? or there is no control on those web apps

  2. x1134x · 1703 days ago

    When people tell me that I can't use a dictionary word as a password, I lose faith in humanity. Do you really think ANY place that you've protected with a password is going to allow millions of login attempts to your account using different passwords until it guesses the right one? You're an idiot! This tactic was thwarted over a decade ago. To use the standard dictionary to guess a windows password in this fashion would take more time than the universe has been in existence due to additional time between login attempts that the machine requires.

    The last password that was found using a dictionary attack was done eons ago, they may re-create it in a lab, but EVERY programmer knows about it and knows how to prevent it. Social engineering is the way they "hack" your account. And that isn't a "HACK" its them fooling you into GIVING it to them.

    • Andrew Ludgate · 1702 days ago

      The attack vector is no longer "let's go after this user and try a dictionary attack until we find the right one" -- attackers have moved on to "Google has millions of accounts. Statistically, if we attempt to long into x% of them, using a random sampling from this dictionary, we can attempt x different passwords on each account before the timeouts get so long that we give up on that account for the day. Within a 1 month period, we should have y compromised accounts under our control."

    • Paul Ducklin · 1702 days ago

      1. If you plan to post comments on the Naked Security site in future, please learn to be respectful. (You're lucky one of the other Naked crew got to your post first and approved it. I'd have deleted it. I don't care to see anyone - let alone my friend and colleague Vanja Svajcer! - called an idiot on this site.)

      2. You are welcome to assume that every on-line property for which you have a password will correctly perform rate-limiting to reduce the effectiveness of a dictionary attack, or will disable your account after a number of failed attempts. But that would be an unwise assumption. (Twitter, for example, didn't begin to rate-limit login attempts until after an administrator's password was cracked using exactly the approach you insist would never work.)

      3. You are welcome to seduce yourself into believing that "the last password found by a dictionary attack was done aeons ago", but you'd be wrong. In fact, you can watch a video showing my own lowly MacBook Pro laptop recovering nearly 200,000 passwords from hashes leaked from Gawker Media. That was in December 2010. (If you get the hashes, then you can crack offline, at your own pace. Any timing limitations imposed by the online authentication API become irrelevant.)

      (The "Gakwer Media" section is from 0'40" to 1'02"; the dump of cracked hashes is at about 0'53".)

      • I agree with point 3 there, dictionary attacks are only pointless if you have some sort of controlled login. If you have a coding vulnerability which allows hackers to get access to password hashes, they can try all the dictionary words they want.
        If your Gawker media password was long enough or had non-alphanumeric characters, it would not have not have been vulnerable to the 2010 attack at all.

  3. Tom · 1702 days ago

    Google could learn from AppBrain, which offers the same kind of service for Android phones but requires the user to start the install on the phone end once the website sends the install request. Until Sophos offers AV for Android phones you can use Lookout which does scan new apps when they are installed.

  4. Jason · 1702 days ago

    This is completely a non-issue. You are aware that a software installation has occurred on your device since there is a user notification that an application has been successfully installed. Additionally, if someone has compromised your Google account they can presumably get as much personal info as they want from your Gmail inbox. Please quit the fearmongering.

    • wouldn't it be better to find out that unauthorised software was attempting to be installed on your phone rather than wonder what software has been installed?

      • What wondering? After the software installs, it leaves a notification in the bar. Furthermore, on the site, apps are listed by date of install, so it's absolutely trivial to tell if something was put on your phone.

        • But you don't need to open an app for it to be a security problem. It could install, clear its notification, attack its victim and uninstall, all without the user knowing.

        • Fysi · 1678 days ago

          Fortunately with Android apps, they cant start automatically after install until opened for the first time. And the only 'hacks' you are going to see on android are keyloggers.

          • Daira Hopwood · 547 days ago

            You're wrong; the app can use any of its permissions during the install process, which is all it needs for an attack.

  5. Hermilla · 1702 days ago

    If someone manages to gain access to your Google account, then installing applications should be the least of your concerns (assuming you use the account for other services) - what about all your data in other services - email, checkout account, etc.

    Installing applications automatically is a convenience to most people.

  6. In other news, if you lose the key to your house, burglars might take that jar you've been saving up your spare change in.

    • Paul Ducklin · 1702 days ago

      It's worse than that. The analogy needs extending a bit. If you lose the key to your house, burglars might be able to install a listening device in your car, even if your car isn't anywhere near your house at the time.

      So I think Vanja's warning is an important one: your Google password doesn't just let you access your email account. It effectively unlocks your phone, too.

      • Anonymous · 1700 days ago


        Burglars might be able to install a listening device in your car, even if your car isn't anywhere near your house at the time... leaving a note in your car that reads "I just installed a listening device in your car". ;)

        • Paul Ducklin · 1700 days ago

          But the note's not terribly big, is it?

          • Its there, in your face untill you remove it manually. Oh, and you have to turn on the listening device manually for it to function. Meaning you have to start the app before it can do anything to the phone, before that, its just an APK file chilling in your system folder.

            • AndroidUser · 1699 days ago

              ...or you turn off your phone (either manually without noticing, on automatic schedule or you run out of battery) and the notification is gone!
              Upon restarting, the malware daemon is running happily away in the background...

              • You don;t have to remove it manually. HTC's messaging app removes its own notifications as you read new messages.

          • Anonymous · 1700 days ago

            It's big enough.
            You are assuming that somebody stole your Google account password.

            So all you documents are deleted.
            All you emails are deleted.
            All your contacts are stolen.

            This may happen from any PC on the planet and you didn't complain that you don't get a note for that.

  7. Jordan · 1702 days ago

    Great article! Might have to tell a few buddies to make their passwords tough to crack.

    Just thought I'd let you know there's some wording error in the first paragraph of this article. Don't know how much you guys care or if you can edit it but I thought I'd let you know.

    Thanks for the info!

  8. Shane · 1702 days ago

    What a joke of an article.. You guys being paid by apple or?

  9. Mike · 1701 days ago

    I'm not sure how this is an issue, since the web install only allows Market apps to be installed on the device. While the Market does not have an iron-clad approval process, anything like that is removed quickly.

  10. Ryo · 1692 days ago

    What a load of FUD.
    Sorry, but you know, you could report on safes getting "cracked open" when someone having the combination. Oh yeah.

  11. This only works for market-approved apps though right? *sigh of relief*

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.