Google has released a patch that fixes a security vulnerability in Android related to app permissions. Security firm FireEye discovered late last year that apps could modify the icons of other apps on Android home screens and make them point to any other app or website, which would allow attackers to divert users to fake versions of trusted apps and websites in order to steal information.
The security lapse is possible because until now, apps have been able to modify the Android launcher's Read and Write attributes
without explicitly asking for user permission. These permissions had previously been classified as "normal", indicating there was no known potential for abuse. "Normal" permissions are not displayed to the user prior to app installation, unlike more sensitive ones such as allowing access to location data, contacts, and the camera.
However, attackers could easily modify icons to point to malicious websites or apps that spoof the interfaces of known, trusted ones, such as banking and shopping apps. Commonly known as phishing, this kind of malware tricks users into entering their PIN numbers, passwords or credit card information, which are then stolen.
The problem affects devices up to and including those running
Android 4.4.2, the most recent version. Custom Android skins including those of Samsung and HTC, as well as the aftermarket CyanogenMod, were found to be vulnerable.
FireEye demonstrated a proof of concept app which made it past Google's security scans and was briefly live in the Google Play store, but was withdrawn before anyone could accidentally download it. No requests for permissions were displayed to test users on a Nexus 7 tablet.
Google has now
acknowledged the problem and has released a patch to Android device manufacturers, but it will be up to them to decide which devices will receive updates, and when. Android fragmentation is a known problem, and many devices might never be updated. Users must therefore be constantly vigilant of potential phishing attacks.