Researchers have built an Android app that sails right past the smartphone software's permissions protocol and could enable a hacker to install and run corrupt code on a target's mobile device.
The proof-of-concept app, as described in a blog post by the security firm ViaForensics called "No-permission Android App Remote Shell," gives its creators remote access to an infected Android device. The app exploits Android's permissions system, which is designed to put security in the hands of customers by giving them explicit control over what capabilities each app can perform.
This is yet another blow to Google's massively popular but vulnerable smartphone operating system, which has been hit with a multitude of malware attacks in the past few months.
The ViaForensics app, as shown in a video on the company's website, gave researchers the ability to extract data about the target device and read data form the SD Card and send it back to its server.
Thomas Cannon, director of research and development at ViaForensics, wrote that the functionality the app exploits is not new, and has "been quietly pointed out for a number of years."
"We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel," Cannon wrote.
Researchers tested the rogue Android app — it is not a legitimate app in Android's App Market — on versions from 1.5 up to 4.0 (Ice Cream Sandwich) and said it successfully performed its devious function in all cases.
"In this demonstration Android's power and flexibility were perhaps also its downfall," Cannon wrote. "Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user."