clock menu more-arrow no yes mobile

Filed under:

Lingering Android security flaw lets apps do things without permission

New, 35 comments

ViaForensics has demonstrated that an app with zero permissions can nonetheless allow a remote user to gain shell access of an Android phone.

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

YouMail Permissions Android
YouMail Permissions Android

Last week, ViaForensics pointed out that Google Wallet wrote transaction histories to unencrypted database files, and this week the security firm's demonstrating another Android flaw, namely that apps can do things (like give shell access to a remote user!) even when they don't ask for any permissions at all. Generally, when you download an Android app, you allow it to do a variety of things, but as you'll see in the video below, even a seemingly innocuous program could do some pretty unseemly stuff. Now, it's not like this would be a revolutionary exploit, as the kinds of users who don't bother to check where their apps are coming from are likely the same sort who don't check permissions to begin with, but it is a little concerning that the exploit has been around this long without Google patching it. According to ViaForensics, the hack was the topic of a presentation at Defcon 18 last year, works similarly to the capability leak vulnerability that North Carolina State University researchers discovered earlier this month, and yet it still works in all versions of Android including Android 4.0 Ice Cream Sandwich.

Android No-Permissions Reverse Shell from Thomas Cannon on Vimeo.