The CarrierIQ story has been the dominant topic on mobile security over the past week or so, but I believe this is far more important to pay attention to.
Yes, it’s important to realize that the mobile operators are pre-installing monitoring software onto your phone, but there’s no evidence that major privacy violations have occurred.
Now with this other (far less reported) story, there appears to be a privilege escalation type attack in Android. Normally, when installing an app, you are informed of all system access requested by that app. Then you have a choice whether or not you want to install that tetris clone that mysteriously requires access to your text messages.
Apparently there’s a hack that allows an app to access some things that it doesn’t request permission for. Specifically demonstrated by the researchers were the ability to send text messages, record sound, and reboot the phone (which is not something that any app should be able to do at all).
Because the Android Marketplace does not have any code review before posting apps, this could lead to a rogue app that could steal information from those who install it. It doesn’t even have to be a shady looking application…a smart attacker would take the time to code a useful app that performs some function very well. It would secretly capture information and send it off to the attacker for further use.
This could go undetected for a long time.
Or it could be happening already.