Daniel Divricean, a soft engineer specialising in security has claimed he has a proof of concept for a high threat serious flaw in Google Play’s install mechanism. Daniel says that this vulnerability allows an app to install any number of apps with any type of permissions without user’s explicit consent. Google on the other hand has confirmed to Daniel about the vulnerability and said that a fix is live for 100 percent Android users as of 12.2.2014.





The Apps which are installed on Android Devices through Google Play Store or website normally ask the user for his explicit permission for using various services of Android operating system. But Daniel says that any person can develop a App (possibly a Trojan) and get it installed on any Android device through Google Play as well as the web without any explicit user consent. Daniel says it is based on two things:





1. You can install an App from Google Play using just the browser,

even from PC.





2. An App can embed a browser and automatically login into your

Google account without any notification, using a few permissions.





The brief of his findings are given as follows





Description

————————

A publisher/developer/hacker can build an Android App, which can be a Trojan that requires which can have these permissions:





android.permission.INTERNET – Allows applications to open network sockets.

android.permission.GET_ACCOUNTS – Allows access to the list of

accounts in the Accounts Service.

android.permission.USE_CREDENTIALS – Allows an application to request authtokens from the AccountManager.



