Source:
ForbesAndroid Bug Would Have Allowed Phone Infections From A Computer Click
Mar. 7 2011 - 1:05 pm
It’s no surprise that the line between phone security and computer security is blurring. But few Android users would have guessed that for most of the last month, a single click on their PC could have infected their phone with whatever program a cybercriminal chose.
Late last month, Google patched a so-called “cross-site scripting” flaw in its Android Web Market that would have allowed a malicious hacker to trick users into installing malware on their phones with just a spoofed link on the Web or in their email, according to security researcher Jon Oberheide. By wrapping code into a carefully-crafted link to the Market sent to a user or planted on a website, an exploit based on that bug could have hijacked the Market’s ability to silently install programs to a user’s phone via a Web interface, so long as he or she is logged into a Google account.
In a blog post, Oberheide applauds Google for fixing the bug in late February, as well as paying him a $1,337 fee for reporting the bug as part of the company’s bug bounty program. But he notes that “since the Android web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim’s phone simply by tricking them into clicking a malicious link (either on their desktop OR phone). The exploit
universally across all Android devices, versions, and architectures.”
Oberheide also points out that despite the fix, Google still allows installations of Android apps from the Web interface without warnings on the phone. That’s a dangerous privilege, given how easily the login credentials to a user’s Google account can be stolen.
Read more: http://blogs.forbes.com/andygreenberg/2011/03/07/android-bug-would-have-allowed-phone-infections-from-a-computer-click/