In the recent days, mobile applications have been targeted by cyber criminals to spread malwares and obtain sensitive information from the user mobile phone. In a latest happening, Experts from the Leviathan Security Group released an Android app called No Permissions to demonstrate how easily malicious users can avoid worrying about the permission restrictions and harvest data from devices without the user’s knowledge.Whenever an app is installed, a screen pops up and asks them to approve the permission requested by it. However, the application made by the experts requires no permission, yet it is able to perform certain actions that can be easily catalogued as being malicious.The application only has three buttons: Steal SD Card Contents, Steal App Data, and Upload Identifying Data.Every application has at least read-only access to the contents of this external storage. No Permissions scans the /sdcard directory and returns a list of all non-hidden files.
All the files discovered can be fetched. The worrying part is that the SD card usually stores some of our most private files, including photos, backups, external configuration files, and, in some cases, even Open VPN certificates. “Secondly, I can fetch the /data/system/packages.list file to determine what apps are currently installed on the device. From there, I can scan each directory used by those applications to determine whether sensitive data can be read from those directories. In the ‘No Permissions’ app, this functionality returns a list of installed apps and a list of any readable files,” Mr Paul Brodeur, the application author said.He believes that by reading the app directories, cyber criminals could find applications with weak-permission vulnerabilities, similar to the ones identified some time ago in Skype. While device identification data such as IMEI or IMSI can’t be read without permissions, other information such as GSM and SIM vendor IDs, Android IDs, and kernel version can be accessed. While without Internet access the data cannot be transferred from the device, there is one network call that doesn’t require any permissions.
A thorough analysis can be read here. Its nothing interesting to see rise in mobile application security issue. As the portability of information gets mobilized, the more security threats will grow and faced.