Written by 
On Wednesday, a proof of concept application has been downloaded and made available on Android Market, which took advantage of two recently discovered serious errors in Android OS.
Angry bird disguised as expanding the software silently installed three additional applications without user authorization. Hidden applications are also able to access your contacts information to the user location and SMS. They could also transmit data to a remote server.
Scio Security CTO Jon Oberheide–one of the two researchers who discovered and exploited the Android vulnerability–said that it took Google about six hours to discover and pull the bogus app. The next step will be to “lock down” the special security tokens Google uses so that users don’t have to expose passwords to 3rd-party services. The proof-of-concept code works by exploiting weaknesses in that Android token system.
“It abuses that token to perform the same actions the legitimate Market app would perform, but without asking for permission,” Oberheide told The Register. “Through some of the research, we realized we could use this one specific token for the Android service to bypass the restrictions on the permission system.”
Oberheide and colleague Zach Lanier – Senior Consultant Intrepidus Group – plan to give more information to Homeland Security Conference is scheduled for Thursday at Intel’s Oregon campus.
Oberheide previously released a couple of applications on Android Market in June that forced Google to use its remote switch secret then kill. The applications have demonstrated how hackers can only kit market bootstrap root at the top Android phones.
