Google’s Android Market Website May Change Phishing, Malware Distribution

Google recently made it easier for its mobile customers to download apps on their computer and install them on their mobile phones. In this same update, the company also made it much easier for their mobile customers to transfer and spread malware, according to a recent report from security research firm Sophos.
Google updated the website for its Android Market, allowing users to download apps on their computer and access them on their mobile devices. This enhances the app downloading experience by providing additional information, through a website accessed on a larger PC screen, and offering a website for the Android Market to customers who may prefer a website format over an app.
Vanja Svajcer, principal virus researcher at SophosLabs, examined the new Android Market website for security and protective standards, downloading a popular game also available on the iPhone. According to Svajcer, Google is generally secure in its standards for downloading apps, providing permission requests designed to ensure the user is aware of everything he or she downloads. Early in the investigation, these standards appeared prevalent and functional in the Android Market website, according to Svajcer.
“The most important security aspect of the installation process on Android are the permissions an app requires on a device after the installation. Android users should particularly carefully read the required permissions before they install any applications, from the official Android Market or any other source,” Svajcer wrote in a recent company blog post. “As expected, the web-based Android Market displays the required permissions so that the user can make an informed decision about whether to install the application.”
This process is flawed on the new system, according to Svajcer, because of an exploit Google researchers have been aware of since last year. Because the system begins downloading an application as soon as the user clicks the install button on the website, the INSTALL_ASSET intent vulnerability, discovered by Jon Oberheide last year, could facilitate the distribution of malicious mobile web apps.
“In summary – if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself,” Svajcer wrote.
This vulnerability, and its presence on the new Android Market website, is presenting an entirely new dynamic in phishing and password strength for Google users.
“The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence,” Svajcer wrote. “In future, however, the phishers’ intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user’s Android devices instead.”
Mobile malware, which grew 33 percent last year, is set to become more complex and common in 2011, according to AdaptiveMobile.

Advertisement