Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites.
According to FireEye, the issue allows a malicious app with ‘normal’ protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user.The issue has been acknowledged by Google, which has released a patch to its OEM partners, the security researchers blogged.
“The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user,” the FireEye researchers explained. “There’s no surprise that the com.android.launcher.permission.INSTALL_SHORTCUTpermission, which allows an app to create icons, was recategorized from ‘normal’ to ‘dangerous’ ever since Android 4.2.”
Though the researchers called this an important security improvement, they noted an attacker can still manipulate Android home screen icons using two normal permissions – ‘com.android.launcher.permission.READ_SETTINGS’and ‘com.android.launcher.permission.WRITE_SETTINGS.’
According to the researchers, these two permissions enable an app to query, insert, delete or modify the configuration settings of the Launcher. However, these two permissions have been labeled as ‘normal’ since Android 1.x.
“As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website,” the researchers explained. “We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2…Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it.”
“Lastly, this vulnerability is not limited to Android devices running AOSP,” the researchers continued. “We have also examined devices that use non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2. All of them have the protection levels ofcom.android.launcher.permission.READ_SETTINGSand WRITE_SETTINGSas “normal”.”
Just recently, Google announced extra protection for Android that will continuously scan devices to make sure applications are not performing malicious actions after installation.
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Google Patches Android Icon Hijacking Vulnerability Phishers Target Vulnerable Shared Hosting Providers to Spread Attacks Akamai Reissuing SSL Keys After Flaw Found in Heartbleed Mitigation Google Boosts Android Security ProtectionMore Than Half of Enterprise Employees Receive No Security Training: Survey Finds
Tags: NEWS INDUSTRY