Proof-of-concept Android app reveals platform’s security bug
Angry Birds is an extremely popular mobile game that can be played on Apple, Android and Nokia mobile devices – indeed, it has been downloaded by millions of users. So, when an application by the name Angry Birds Bonus Levels appeared on the Android Marketplace, and was offered for free, some 100 people downloaded it.
If they had been more attentive, they would have noticed that the developer of this application is not the Finnish company Rovio, but someone named Jon Oberheide.
This kind of discrepancy should usually be a warning sign that the application might not be what it seems but, luckily for those who downloaded it, Jon Oberheide is a security researcher bent on proving the existence of a security bug in the Android platform that would – according to F-Secure – allow an application to download and run additional applications from the Android Marketplace.
And to that end, he uploaded three more applications to the Marketplace: Fake Contact Stealer, Fake Location Tracker and Fake Toll Fraud:
As their names and descriptions say, these applications are “harmless and solely for demonstration purposes”.
The Last Watchdog reports that all of Oberheide’s applications were taken down by Google six hours after they have been uploaded, and that the researcher is in contact with the company’s security team, which has developed the fix for the vulnerability and will be rolling it out soon.