Researchers use Woodpecker to single out vulnerable Android phones

North Carolina State University researchers say some Android smartphone makers' efforts to go above and beyond the Google mobile platform's basics open their devices to security breaches.

"Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," says Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the research. "The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third-parties direct access to personal information or other phone features."

SLIDESHOW: Best free Android apps of 2011 

Hackers could trick the apps into recording your phone calls or wiping out your settings, says Jiang, whose team used a tool dubbed "Woodpecker" to detect vulnerabilities.

Such smartphone flaws are welcome news to hackers, who see Android phones as an increasingly juicy target: Gartner says more than half of the smartphones sold worldwide in the third quarter run Android, and that's double the number from the third quarter last year.

Vendors such as McAfee and Juniper Networks have recently released study results showing a boom in malware targeting Android devices, though Google has countered that some vendors may just be trying to roil up the market to sell more of their security wares.

NC State researchers have had their eyes on Android security for some time. Network World spoke with Xuxian Jiang in April about an effort to defend Android users from privacy thieves. The NC State team's privacy mode software - dubbed Taming Information-Stealing Smartphone Applications (TISSA) -- would give Android users more control over what information they divulge to makers of third-party apps, both at the time of downloading the app and while it's running.

Based on NC State's latest research, on eight different smartphone models, Motorola Droid and plain Google reference implementations fared best. However, HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G all showed significant vulnerabilities. NC State researchers say they notified manufacturers about the holes earlier this year.

The research, supported by the National Science Foundation and U.S. Army Research Office, will be presented Feb. 7 at the 19th Network and Distributed System Security Symposium in San Diego.

Follow our Alpha Doggs blog for more on network research and follow our Alpha Doggs page on Google+ 

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsGoogleNetworkingsecuritywirelesssmartphonesNorth Carolina State University

More about AlphaGartnerGoogleHTCJuniperJuniperLegend Performance TechnologyMcAfee AustraliaMotorolaSamsungSSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts