Android Market: XSS hole allows unauthorised installation of apps
Google has closed a cross-site scripting (XSS) hole in the Android Market that allowed attackers to install apps on Android devices without the user's consent – and without requiring physical access to the device. Only last weekend, Google was struggling with security problems in the Android Market after criminals had listed and deployed 52 infected apps.
While apps don't auto-start once they have been installed, there are ways of launching them remotely. For this purpose, the installed app needs to announce in the installation manifest which system events, for example further installations (PACKAGE_ADDED) or waking up from standby (ACTION_USER_PRESENT), it can respond to. Installing a further app via the hole that has now been closed would only have been a matter of skilful programming.
That the web store's remote app installation feature carries security risks had already been pointed out by the AV vendors. A particularly sensitive issue is that no further user interaction is required to authorise the installation on the target device. The only indication for potential victims that an (unauthorised) app has been installed on their device is the notification about a successful download and installation in the status bar.
Incidentally, Oberheide plans to take part in the Pwn2Own contest but already notified Google about the XSS hole beforehand because he didn't think the vulnerability qualified for this contest. Developers participating in this contest can receive $15,000 for taking control of an Android device. Instead, Oberheide will only receive $1,337 under the Bug Bounty program.