Android permissions flaw could allow hackers to snoop on phone calls

Researchers find serious vulnerability in several handsets

Researchers have uncovered a vulnerability in Google Android's permission-based security model potentially affecting millions of handsets, which could allow hackers to wipe data, send text messages and even record conversations.

A team at North Carolina State University revealed the flaw in a new research paper which studied eight popular Android smartphones from leading manufacturers including HTC, Motorola and Samsung.

The flaw they discovered effectively enables hackers to bypass the permission-based security model in Android which requires each app to "explicitly request permissions upfront to access personal information and phone features".

"[We] are surprised to find out these stock phone images do not properly enforce the permission-based security model," the paper noted.

"Specifically, several privileged (or dangerous) permissions that protect access to sensitive user data or phone features are unsafely exposed to other apps which do not need to request these permissions for the actual use."

The team employed inter-procedural data flow analysis on pre-loaded apps using a system it built called Woodpecker.

"The results are worrisome: among the 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions," noted the report.

"These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g. to premium numbers), record user conversations, or obtain the user's geo-location data on the affected phones - all without asking for any permission."

Android has frequently been cited by experts as a greater security risk than Apple's iOS owing to an open ecosystem which means that malicious apps can easily find their way onto the Android Market or third-party Android app stores.

Premium rate dialler malware and information stealing Trojans have proved among the most popular for cyber criminals, who place them online disguised as innocent looking apps.

V3 contacted Google for comment on the flaw but was still awaiting a response at the time of writing.