Showing results for 
Search instead for 
Did you mean: 
Community Expert Advisor

Researchers find Android security issue in app permissions protocol

Researchers find Android security issue in app permissions protocol 

by Danielle Walker


The permissions issue could allow a malicious app to alter legitimate home screen icons. Analysts discovered an Android app permissions issue, which could ultimately allow a crafty saboteur to redirect users to spurious sites using malicious apps.

In a Monday blog post, FireEye researchers detailed the problem: an inadequate security protocol affecting Android platforms 4.1 to 4.4.2, where some app permissions, categorized as “normal”, open users' data to dangerous exploits.

FireEye also found that devices using non-Android Open Source Project [ASOP] launchers, such as Nexus 7 running CyanogenMod 4.4.2, Samsung Galaxy S4 running Android 4.3, and HTC One running Android 4.4.2., were impacted by the issue. In a proof of concept attack scenario, researchers demonstrated how a malicious app with two “normal” permissions was able to modify legitimate home screen icons on users' devices. After doing this, an intruder could orchestrate attacks targeting users' sensitive data. In the attack scenario, researchers showed how victims could be redirected to phishing websites, once they clicked modified icons. FireEye explained that ASOP uses an app permissions classification process, which will alert users to apps requesting “dangerous” permissions, by requiring their confirmation before users install the app. In contrast, apps asking for “normal” permissions can be downloaded without the added step. "An attacker can still manipulate Android home screen icons using two normal permissions: and WRITE_SETTINGS”, the blog post said. “These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as ‘normal' since Android 1.x".

In a Monday email to, Hui Xue, a senior engineer at FireEye who co-authored the blog post, said that the company notified Google of the issue last October. In response, Google replied in February that it had released a patch for its original equipment manufacturers (OEMs) remediating the issue. Despite the patch's availability, many users still await a fix from their vendors, Xue added. “Vendors do need to incorporate the patches”, Xue said. “Before updates from vendors, users have to take extra caution when using icons”. FireEye said that it has not seen any evidence of attempted exploits leveraging the vulnerability.


Full Article

Sr. Community Leader

Beta Tester

WEBROOT® SecureAnywhere™ Internet Security Complete Beta
macOS Sierra & Windows 10 Pro 64

Community Leader

Re: Researchers find Android security issue in app permissions protocol

The following article is a update on Android permissiion protocol

(Malicious app can get past Android WITHOUT PERMISSIONS)


By Richard Chirgwin,



Researchers presenting at Usenix have lifted the lid on yet another Android vulnerability: the way apps use memory can be exploited to leak private information with a success rate “between 82 and 92 per cent of the time”.

Announced by the University of California, Riverside here, the researchers' paper gives a pretty good idea of what's going on in its title: “Peeking into Your App without Actually Seeing It: UI State Inference andNovel Android Attacks”.


They note that UI state can be spied on by a malicious app without requiring any permissions, in what they call a “UI inference attack”. Their demonstration included stealing login credentials and obtaining sensitive camera images taken by the user (in the demo case, they copied a cheque a user had shot for use with a banking app).


The Register/ full article here/

Community Leader