Dutch paper +volkskrant has an article today on an Android exploit that researchers of the +Vrije Universiteit Amsterdam have found. It basically works like this:

- Attacker controls the browser of the user on their Windows/Linux/Mac desktop (not Android).
- Attacker steals Google credentials that allows installation of an app from the Play Store on any of the devices that the user might have.
- App is automatically installed, like installing any app from the web version of the Google Play Store.

So far, this might be a security concern. An attacker that is able to exploit your browser can pretend to be you and act like you. Which is usually the whole point of exploiting right :)

Now the tricky part: the user needs to actually activate the app. At 3:06 in the video, you hear the researcher say that the user has to click on the app, which is correct. Possibly, because it has "an attractive icon". Then they go on stating that even without clicking on the app, it could be launched from a bookmark or web page. However, they don't show how that would look like for obvious reasons, since the user would get a dialog asking if the web page should be openened in the browser or using the app that was installed.

If the app is started, it pulls in additional payloads. The video talks about replacing the Paypal app. That would require a user to enable the "Unknown sources" option on their phone, triggering a warning dialog. Then the replacement app would be installed manually by the user, no Google Play Store involved. The video actually shows that the user has to confirm installation and it has very different UI compared to the normal install UI.

When that happens, the app can steal information and data, but still within the app sandbox. For example, it couldn't steal data from your banking app.

Now everything after 3 minutes into the video is something that is not a new way of exploiting Android devices. In fact, most malware that is coming from what ever source (alternative app stores, torrent sites etc) would act this way. 

IMHO the video is biased and not very scientific in a multiple ways:
- It assumes your browser can be easily hacked, but I'll let that slide
- It assumes that malicious apps can live long and prosper on Google Play and they show an app being installed that does not have a malicious payload (as far as I can tell).
- They don't show you the prompts and security warnings an Android phone would show you in this scenario.

Here's the video: https://www.dropbox.com/s/jd45lfnkefb4lp1/mitbandroid-vo3.mp4?dl=0
Article (Dutch): http://www.volkskrant.nl/tech/groot-lek-in-android-telefoons~a4089416/
And how launching an app from the browser would really look: https://twitter.com/botteaap/status/614784118883287041
Shared publiclyView activity