Researchers at North Carolina State University have uncovered a variety of vulnerabilities in the standard configurations of popular Android smartphones from Motorola, HTC, and Samsung, finding that they don't properly protect privileged permissions from untrusted applications. In a paper just published by researchers Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang, the four outlined how the vulnerabilities could be used by an untrusted application to send SMS messages, record conversations, or even wipe all user data from the handset without needing the user's permission.

The researchers evaluated the security of eight phones: the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. While the reference implementations of Android used on Google's handsets had relatively minor security issues, the researchers were "surprised to find out these stock phone images [on the devices tested] do not properly enforce [Android's] permission-based security model." The team shared the results with Google and handset vendors, and have received confirmation of the vulnerabilities from Google and Motorola. However, the researchers have "experienced major difficulties" in trying to report issues to HTC and Samsung.

Using a software tool they developed, called Woodpecker, the NC State team analyzed each pre-loaded application on the phone, probing for "capability leaks"—sensitive application and operating system privileges left exposed to other applications in ways that would allow them to be accessed by a malicious app without requesting permission from the device user.

The leaks they found fell into two categories: "explicit" capability leaks that allow applications to exploit a public interface or service of another app without making a permission request, and "implicit" leaks that allow other applications to inherit permissions from another application signed with the same digital certificate (this allows applications from the same developer to automatically interact with each other). The explicit leaks pose a serious security leak, while implicit leaks could "misrepresent the capabilities available to an app," but were not as serious a problem.

They focused on 13 pieces of Android phones that deal with potentially sensitive user information or phone capabilities—such as geo-location, access to address books, and sending SMS messages. Across all of the phones, the researchers found 11 of these 13 privileged permissions were explicitly leaked by pre-installed apps. The worst offender was the HTC Evo 4G, which was discovered to have eight explicit leaks.

By exploiting these leaks, the researchers found "an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations—all without asking for any permission."

The survey only focused on pre-installed apps on these phones. It's possible that additional vulnerabilities could be exposed by legitimate apps added to Android phones, and, as the researchers point out, it would be difficult to assess the vulnerability of applications purchased through app stores because the stores don't list the permissions used by the apps. But pre-installed apps remain the biggest potential target for attackers since they have the largest installed base.