Researchers at FireEye have identified a vulnerability affecting Google Android that could be exploited to lead users to malicious sites.
According to FireEye, the issue allows a malicious app with ‘normal’ protection level permissions to target legitimate icons on the Android home screen and modify them to point to attack sites or the malicious app itself without notifying the user. The issue has been acknowledged by Google, which has released a patch to its OEM partners, the security researchers blogged.
Though the researchers called this an important security improvement, they noted an attacker can still manipulate Android home screen icons using two normal permissions – ‘com.android.launcher.permission.READ_SETTINGS’ and ‘com.android.launcher.permission.WRITE_SETTINGS.’
According to the researchers, these two permissions enable an app to query, insert, delete or modify the configuration settings of the Launcher. However, these two permissions have been labeled as ‘normal’ since Android 1.x.
“As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website,” the researchers explained. “We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2…Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it.”
“Lastly, this vulnerability is not limited to Android devices running AOSP,” the researchers continued. “We have also examined devices that use non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2. All of them have the protection levels of com.android.launcher.permission.READ_SETTINGS and WRITE_SETTINGS as “normal”.”
Just recently, Google announced extra protection for Android that will continuously scan devices to make sure applications are not performing malicious actions after installation.