You know those app permissions you’re supposed to read before installing apps from the Android Market (you do read them right?). Well it turns out that you might needn’t have bothered.
A security exploit, discovered by researchers Jon Oberheide and Zach Lanier, allows attackers to skip listing permissions if they want to.
To demonstrate the risk, the pair created a fake Angry Birds app and unleashed it on the Market. Instead of giving gamers the promised extra levels, the fake app instead installed a raft of programs that could steal contact info and send texts to premium rate numbers. Note that we said could.
We should be thankful that this is the work of a white hat team and not malicious hackers. The pair are due to demonstrate the security risk at a conference today hosted by Intel. Hopefully this exploit can be patched up without much fuss.
In the meantime this is a reminder that checking permissions isn’t always enough; before installing any app from the Android Market, check user comments and check the name and website of the developer. In this case of new Angry Birds levels the developer should be Rovio Mobile and nobody else.
If you find an app in the Market that’s not official or looks suspicious in any way, it’s best not to download it unless you’re 100% sure it’s safe.