Fake Angry Birds exposes Android security hole

A bogus Angry Birds bonus level has made its way into the Android Market in a ploy to expose the platform's security weaknesses.

And, although the fake app was apparently removed within 6 hours, it could have potentially caused some damage should the developer's intentions been less conscientious.

The app was developed by security researcher and Scio Security CTO Jon Oberheide. His aim was to prove that Android is vulnerable as a result of its lax security controls.

The misleading Angry Birds content included the functionality to download other apps from the Android Market, without the handset owner's permission.

The trojan-like program skipped Android's standard security checks, which is supposed to ask users to give permission for apps to access certain areas of the platform or download additional applications.

"This vulnerability would make it possible for one application to download and launch additional applications from the Marketplace", said Mikko Hypponen, chief research officer at F-Secure.

"To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan".

A Google spokesperson said: "We began rolling out a fix for this issue on Friday, which will apply to all Android devices. As always, we advise users to only install applications they trust".

It's not the first time Android's security credentials have been questioned. Back in August Kaspersky reported a malicious SMS-based app on infected Android phones.



>