Researchers use Woodpecker to single out vulnerable Android phones

North Carolina State University researchers say some Android smartphone makers' efforts to go above and beyond the Google mobile platform's basics open their devices to security breaches.

"Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," says Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the research. "The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third-parties direct access to personal information or other phone features."

SLIDESHOW: Best free Android apps of 2011 

Hackers could trick the apps into recording your phone calls or wiping out your settings, says Jiang, whose team used a tool dubbed "Woodpecker" to detect vulnerabilities.

Such smartphone flaws are welcome news to hackers, who see Android phones as an increasingly juicy target: Gartner says more than half of the smartphones sold worldwide in the third quarter run Android, and that's double the number from the third quarter last year.

Vendors such as McAfee and Juniper Networks have recently released study results showing a boom in malware targeting Android devices, though Google has countered that some vendors may just be trying to roil up the market to sell more of their security wares

NC State researchers have had their eyes on Android security for some time. Network World spoke with Xuxian Jiang in April about an effort to defend Android users from privacy thieves. The NC State team's privacy mode software - dubbed Taming Information-Stealing Smartphone Applications (TISSA) -- would give Android users more control over what information they divulge to makers of third-party apps, both at the time of downloading the app and while it's running.

Based on NC State's latest research, on eight different smartphone models, Motorola Droid and plain Google reference implementations fared best. However, HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G all showed significant vulnerabilities. NC State researchers say they notified manufacturers about the holes earlier this year.

The research, supported by the National Science Foundation and U.S. Army Research Office, will be presented Feb. 7 at the 19th Network and Distributed System Security Symposium in San Diego.

Follow our Alpha Doggs blog for more on network research and follow our Alpha Doggs page on Google+ 

Read more about anti-malware in Network World's Anti-malware section.

Tags Googleconsumer electronicssecurityNetworkingsmartphoneswirelessNorth Carolina State University

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Audit Management Solutions

Manage the complete audit lifecycle from audit universe identification and risk assessment to management/board reporting and quality assurance.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.