Back door exploit for Android phones

A security expert working at Alert Logic has published a demonstration back door exploit for smartphones running Android. Criminals could use the principles of this exploit to gain control of a phone and install trojans. A potential victim need only call a malicious web site for infection to occur.

The example exploit will open the back door for demonstration purposes only on the fixed IP address 10.0.2.2 on port 2222. Although as it stands, the demo exploit is harmless, for an experienced cracker it would be relatively easy to customise the shellcode to create a malicious version. In a test conducted by The H's associates at heise Security with an HTC Wildfire (Android 2.1), the exploit only caused a browser crash. Officially, the exploit only is only effective on Motorola's Droid 2.0.1, 2.1, and the test was successful on an emulation of 2.0 - 1.2.

According to the Alert Logic engineer M.J. Keith, the exploit uses a long known flaw in the WebKit browser framework, and was originally only present in Apple's Safari and the Ubuntu Linux distribution. WebKit is now used in Google's Chrome and in Android. The hole was fixed in Android 2.2, but according to Google's official statistics only 37 per cent of devices run this software version. Apparently there are further flaws in WebKit that also affect Android.

Since Google has never published information on security holes and patches for Android, users remain unaware of potential threats. It is unclear why Google retains the information and several questions about this policy remain unanswered. It is possible the information is not published out of consideration for the manufacturers of smart phones who often take many months to produce updates and commonly use unofficial adaptations of Android to suit their particular hardware.

Recently the software audit specialists Coverity reported finding 88 critical vulnerabilities in Android.

(trk)