In association with heise online

08 March 2011, 12:12

Android Market: XSS hole allows unauthorised installation of apps

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android Market Logo Google has closed a cross-site scripting (XSS) hole in the Android Market that allowed attackers to install apps on Android devices without the user's consent – and without requiring physical access to the device. Only last weekend, Google was struggling with security problems in the Android Market after criminals had listed and deployed 52 infected apps.

According to Android security specialist Jon Oberheide, who discovered the hole, the (persistent) XSS vulnerability is located in the description field for apps in the Android Market web store. The field reportedly allows attackers to inject JavaScript code that is executed when accessed in the browser. A malicious script could have triggered the remote installation of a malicious app – provided that the user was logged into the web store.

While apps don't auto-start once they have been installed, there are ways of launching them remotely. For this purpose, the installed app needs to announce in the installation manifest which system events, for example further installations (PACKAGE_ADDED) or waking up from standby (ACTION_USER_PRESENT), it can respond to. Installing a further app via the hole that has now been closed would only have been a matter of skilful programming.

That the web store's remote app installation feature carries security risks had already been pointed out by the AV vendors. A particularly sensitive issue is that no further user interaction is required to authorise the installation on the target device. The only indication for potential victims that an (unauthorised) app has been installed on their device is the notification about a successful download and installation in the status bar.

Incidentally, Oberheide plans to take part in the Pwn2Own contest but already notified Google about the XSS hole beforehand because he didn't think the vulnerability qualified for this contest. Developers participating in this contest can receive $15,000 for taking control of an Android device. Instead, Oberheide will only receive $1,337 under the Bug Bounty program.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit