Say hello to the dark side of Google Android

This new feature, says Denis Maslennikov, a senior malware analyst with Kaspersky Lab, is effectively the same as a remote install option.

"Have we misheard something?" he asks in his latest security blog.

"No, it's an official feature of the brand new market. If you use an Android device, it means that you have a GMail account associated with your device, and now you can remotely install any application from the Android store", he adds.

The procedure, he goes on to say, involves logging into the Android Market with the GMail account associated with your smartphone and choosing an application you would like to install, then clicking on the install link.

"If your smartphone is connected to the internet, you will immediately notice that on the device's screen an install is already taking place", he said, adding that it is a potential security problem, because, when installing apps via the market on your phone, you must agree to all the permissions being requested before the app will actually install on your handset.

With this new incarnation of the Android Market, he explained, those permission are only displayed on the app page within the web interface of the Android Market.

"After agreeing to these permissions the app is installed without any notifications on your mobile device", he said, adding that this `convenient' option allows unauthorised access to your Gmail account.

This would, he claims, allow the attacker the ability to purchase and install any app available within the Android Market.

Apps within the Android Market, says Maslennikov, have a lot of options, many of which could be used maliciously by an unauthorised third party.

"This is just one more reason to create strong passwords, and be ever vigilant about access to your accounts and devices", he said, adding that Kaspersky has alerted Google about the security risk.

"We can't seem to find a way to disable these remote installs from the browser. At the minimum, it's important that Android users have the ability to turn off this feature", he noted.

 

What’s hot on Infosecurity Magazine?