A new Web-based app store that allows Android users to remotely download apps to their phone increases the potential fallout of a compromised Google account, security experts say.
Some security vendors are
raising the question whether the browser-based version of the Google
Android market could open up opportunities for attackers.
Google
recently launched a new version of the market that allows a device owner
to search for, buy and install applications on their mobile
device remotely over the Web from a desktop computer. To do this, all the
user needs to do is log in to their Google account.
While the capability was
meant as a nod to user convenience, some warn that the functionality increases
the potential fallout if someone's Google account is compromised.
"This is just one more
reason to create strong passwords, and be ever-vigilant about access to your
accounts and devices,"
blogged
Denis Maslennikov, senior malware analyst at Kaspersky Lab.
"If your smartphone is
connected to the Internet, you will immediately notice that on the device's
screen an install is already taking place," he wrote. "Why is this a problem?
When installing apps via the market on your phone, you must agree to all the
permissions being requested before the app will actually install on your phone.
"With this new incarnation
of the Android Market, those permissions are only displayed on the app page
within the Web interface of the Android Market," he continued. "After agreeing
to these permissions, the app is installed without any notifications on
your mobile device."
Those who attempt to use a
stolen
Google account to buy and install a rogue application on someone's device, however,
face a few hurdles. For example, barring some innovation from the attacker, the
application that was purchased would appear on the user's list of applications
on the phone, and would have to be opened by the user to run.
However, even if a user
notices an unfamiliar application on their phone, any application with the word
"free" in it would have a high chance of getting run, opined Roel Schouwenberg,
senior malware researcher at Kaspersky Lab.
"Alternatively, a
vulnerability could be discovered in Android that allows for some sort of local
code execution," he said. "By itself, this vulnerability is low-risk, but
paired with this feature, it effectively becomes remote code execution."
A spokesperson for Google
said the issue is a theoretical threat that presupposes a Google account has
been compromised; the company has worked hard to reduce the possibility of this
through a combination of strategies, including phishing and malware detection
in Chrome and Gmail as well as default HTTPS in Gmail.
"We don't have any
indication that this method has been actively used, and as always, we take
swift action against apps and developers who violate our policies," the
spokesperson said.
Still, Google should make
changes to the remote installation mechanism as soon as possible,
blogged Vanja
Svajcer, principal virus researcher at SophosLabs, Sophos'
research arm.
"Let us hope that the
update will come in time to prevent cyber-criminals abusing the Android Market
for the automatic installation of malicious software," he wrote.
Email
Print
