A fake app disguised as an add-on for the casual gaming sensation Angry Birds exposes a security hole on Google’s Android Market.
Researchers, Jon Oberheide and Zach Lanier discovered a flaw on the Android Market that allows hackers to easily bypass the app permission process to install malware on the device.
To highlight the exploit, the pair created a fake Angry Birds app that advertises itself as an add-on for bonus levels for the game. Once downloaded, the app skips Android’s default installation permission screen and installs dummy programs that could be used to steal sensitive information the device or send texts to premium numbers without the owners’ knowledge.
It doesn’t, of course, but it shows that it could be done if the developers had such intentions. The duo will appear at an Intel conference later today to demonstrate the risk in further detail.
We are a little surprised that Google approved the app in the first place, since it is clearly not an official release from Rovio (the makers of Angry Birds) and deceives users into thinking that it is – which not only reveals a security vulnerability but a clear lack of prudence on Google’s part when it comes to the app approval process, making Apple’s stringent policies look more sensible.
Doubts over Android’s security credentials are not new, as hackers have successfully installed Trojanware on Android operated devices in the past. With Android 2.3, AKA Gingerbread, just around the corner, we can only hope Google is addressing the problem.