Android Market poses remote installation risk - Update
Google's revamp of its Android Market allows Android users to initiate the download and installation of apps from their PCs. To do this, users merely have to enter the Google mail account which links the Android smartphone to Android Market.
This is certainly practical, but unfortunately the smartphone itself does not then ask the user to confirm that they want to install the app. This means that an attacker with access to Google mail details, perhaps stolen by a trojan, could remotely install an app placed on Android Market onto a user's device. This would allow infection of the PC to lead to infection of the smartphone. Banking trojan's such as ZeuS already do this, but in a somewhat different manner.
Tests by our associates at heise Security found that the only hurdle to successful infection of an Android device via Android Market was the fact that Android apps can't launch themselves after installation. An attacker might, however, be able to induce a user to run such an app by sending the user an email to whet their appetite. Users could easily be caught out by messages such as "There's a secret Angry Birds level pre-installed on Android 2.2."
The only indication that something untoward has occurred is provided in the status bar at the top of the screen: this informs the user that an app has been downloaded and installed. Anti-virus software vendor Kaspersky has criticised the remote installation feature on its blog and suggests that it should be possible to deactivate this option.
In the lead up to tomorrow's Safer Internet Day, the German Federal Office for Information Security (BSI) has also been warning of an increase in attacks on smartphones. BSI head Michael Hange is concerned about the risk of attacks on mobiles, smartphones and tablets, "Just on the basis of their increasing popularity and proliferation, mobile devices are an attractive target for criminals." He believes that it is not just the confidentiality of telephones calls and data that is risk, but the whole portfolio of applications; the risks range from address books and eavesdropping on local conversations to determining a user's location.
Update - Contrary to what is stated above in paragraph three, no direct user interaction is in fact required to start the app after installation. It's possible to specify which events an app should respond to. For instance, leaving the standby mode leads to a broadcast (ACTION_USER_PRESENT). If the app is programmed as a receiver for this message, it will execute automatically.