I was just at a seminar on “Automated Detection and Mitigation of Inter-Application Security Vulnerabilities in Android”. Basically they told us that some Android apps even though they do not require permissions to access some info they acquire the info through the other apps on your phone. I just learned that millions of people have downloaded flashlight apps that require permissions! So, it will be really annoying to make sure none of your info is sent to china, russia etc. or you just don’t care. But you should care. They could know where you are at all the time! More importantly they would be draining your battery and using up your data.
So, I wonder if that will be the new way for criminals to hide their data. They have these huge android networks. Since they got millions of people to install this app they could be bouncing data around this network of phones. Or they could be part of a ddos attack and they wouldn’t even know. Except this ddos could not only be an attack on a server it could be an attack on a phone system. They could have the phones place phone calls to a call center. Imagine a million people calling a single police station or hospital over a 30 minute period. It would be deadly. It could be done. I don’t think it could be blocked either. Actually I can’t believe this isn’t happening. It seems simple. They could also use this as a way to make phone calls virtually untraceable. You would constantly be switching the route through your personal network of devices throughout the world through possibly millions of cell towers and satellites.
The other thing that some people look for is the size of the app. If it seems too big all you have to do is to exploit one of the other applications to download. Essentially you are a trojan that will get the payload via another app. Then install. All so your main app can look like a nice flashlight app.
So, now how do you find these bad applications? Because you really don’t want those other bad app on the phone while you are on the phone. Because basically you would prefer that they don’t act stupid and constantly use up the battery giving away the exploit (since the user will eventually decide to uninstall them). Basically you could take advantage of those exploitable apps until you have gotten your trojan installed and then use the trojan to cause those exploitable apps to crash when ever they are opened. Causing the user to either uninstall or to not care (which doesn’t matter since they are never opened). Then you behave yourself and be the best flashlight app ever. So, everyone wants to install you :).
This is pretty intimidating. I wonder how much of this has been done, especially the stuff with the phones? Any of you spammers that spam my site know? haha 😉
I wonder how this works for apple iphone?