The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data.
A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).
The Google Play Store's "Bouncer," which Google launched back in February to protect Android users from malicious apps, is a service that scans potential Play Store apps by running them in a virtual phone environment, where the app's activities are monitored for any signs of mal-intent.
Taking advantage of that test period, security researchers Charlie Miller and Jon Oberheide have evidently found ways past Bouncer (which they will be presenting at the Summercon conference in New York this week).
Fake apps in the Play Store are nothing new. We've seen countless fakes hit the Store, many of which contained some form of malware used to steal user data, or worse, charge premium features to their bill. A Latvian firm is now being fined for the latter due to fake apps designed to look like Angry Birds Space, Cut the Rope, and Assassin's Creed.
After downloading one of the aforementioned apps, though, the user wasn't greeted by flying birds or a hungry frog, but instead...
Remember DroidDream - one of the worst malware apps that we've seen since Android's inception? Well, it appears that the developer of said malware is back at it again, with a reported 25 infected apps (so far) found in the Android Market. Dubbed DroidDreamLight by the Lookout Security team, this infection is a stripped down version of its predecessor. Make no mistake, though - that doesn't mean it's any less malicious.
With a great plugin comes great responsibility - to avoid malicious Flash files, that is. A zero-day exploit has been discovered in Adobe Flash that affects all Android versions of the software, Adobe announced today.
The most common vessel for the exploit is (fortunately) a Microsoft document (.doc) email attachment with an embedded Flash file (.swf) - and I'm not aware of any Word document viewers/editors in Android that support embedded Flash.
With all of the recent concern about malware in the Android Market, it may lead one to make the generalization that the Android OS is nothing but a big loser in the mobile security department. It looks like that may be a faulty conclusion, if the results from hacking competition Pwn2Own are any indication. In this year's contest, held at the CanSecWest Security Conference, Android and Windows Phone 7 both survived unscathed, while iOS and Blackberry fell to the hackers.