Security firm Sophos says Google’s new Android Market for the Web could open a backdoor for phone hackers to muck around with your smartphone. The problem, says Sophos, is that once a user clicks on the install button from the Web, the linked mobile device begins downloading the application without any kind of warning, and that could lead to trouble. Sophos sees this as a game changing scenario for phishers unless Google changes things up, and does so quickly.
In a lengthy blog post, Sophos points out that the most important security aspect of the installation process on Android are the permissions an app requires on a device after the installation. For example, if a game is asking for permissions to send and receive SMS messages, then perhaps it’s up to no good. But the real “red security flag” is the lack of notification on the mobile device that a Web app installation has been triggered.
“If someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself,” says Vanja Svajcer, Principal Virus Researcher at SophosLabs. “The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence. In future, however, the phishers’ intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user’s Android devices instead.”
Sophos says that at minimum, Google should make changes to the remote installation mechanism so that a dialog box is displayed on the receiving device.
Does Sophos have a legitimate concern here, or is this much ado about nothing?