According to a group of computer scientists at North Carolina State University, a vulnerability exists within many Android devices that would allow hackers (or malicious apps) to bypass the permissions request process and tap into audio and location, wipe apps and data, or send unauthorized SMS messages, all without the user knowing.
This news may sound a bit sensational, but the researchers have created and tested a dummy app which effectively demonstrates the exploit:
Among the eight phones tested with the researchers' diagnostic app (Woodpecker), HTC's Evo 4G seemed to be the most vulnerable, able to "leak" eight different capabilities to their dummy app, which was not explicitly granted appropriate permissions by the user.
Phones sold by HTC, Samsung, Motorola, and Google seem to be afflicted with this exploit, and the researchers are blaming it on pre-loaded apps and other manufacturer 'enhancements,' which provide a software loophole through which malicious apps can sneak past permissions requests.
Both Google and Motorola have evidently acknowledged this threat, but HTC and Samsung, according to the researchers, have been slow to respond. The NCSU researchers have also compiled a paper on the subject (to be presented at the 2012 Network and Distributed System Security Symposium), writing "We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today."
It is unclear when/if there will be an official response to this issue - in the form of software fixes or otherwise - but in the meantime, as always, it is advisable to stay away from any untrusted applications.
Via The Register