Security Vendor Says Android Market Web Store is Cause for Concern
Security Vendor Says Android Market Web Store is Cause for Concern
Posted 02/07/2011 at 7:44am
| by Paul Lilly
1
Comment
Print
Security firm Sophos says Google's new Android Market for the Web could open a backdoor for phone hackers to muck around with your smartphone. The problem, says Sophos, is that once a user clicks on the install button from the Web, the linked mobile device begins downloading the application without any kind of warning, and that could lead to trouble. Sophos sees this as a game changing scenario for phishers unless Google changes things up, and does so quickly.
In a lengthy blog post, Sophos points out that the most important security aspect of the installation process on Android are the permissions an app requires on a device after the installation. For example, if a game is asking for permissions to send and receive SMS messages, then perhaps it's up to no good. But the real "red security flag" is the lack of notification on the mobile device that a Web app installation has been triggered.
"If someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself," says Vanja Svajcer, Principal Virus Researcher at SophosLabs. "The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence. In future, however, the phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead."
Sophos says that at minimum, Google should make changes to the remote installation mechanism so that a dialog box is displayed on the receiving device.
Does Sophos have a legitimate concern here, or is this much ado about nothing?
More like this
1
Comment
Comments are closed on this article
TheQuietShadow
February 08, 2011 at 11:00am
There have been security concerns before, such as over the air updates. Updates can be pushed to a phone with the right hardware and software making Android phones more vulnerable than others. There is a way to help protect your phone and Google accounts though, that's the beauty of Google.
Description of 2-step verification from Google:
"2-step verification adds an extra layer of security to your Google Account by requiring you to have access to your phone – as well as your username and password – when you sign in. This means that if someone steals or guesses your password, the potential hijacker still can't sign in to your account because they don't have your phone."
http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284
*Deep breath and exhale* "I love Google... I wonder if she's single"
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy1 day 23 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj1 day 23 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 21 hours ago
