Android users typically install many different types of applications on their device – some apps are from trusted sources such as the bank, others are less trusted such as free games. Some apps require user permissions at installation in order to access potentially sensitive functionality. However, an app that requires no user permissions is able to harvest sensitive data from trusted apps and from the device, and send this data anywhere, without the knowledge of the user. Sensitive data that can be harvested by a malicious app includes SMS messages, emails, GPS location, call history, browser history, bank account information, etc.
The Android operating system utilises a message passing system for data to be transferred from one component of an app to another, for data to be transferred between apps, and for data to be passed from the device’s services to the app. It is by intercepting this message passing system, that malicious apps can harvest sensitive data.
On Android, data is transferred through Intents. If these Intents are not carefully restricted by the developer, they can be a source of sensitive data leakage. Implicit communication of data, where the intended recipient of the data is not specified, can be harvested by malicious applications.
A malicious app can eavesdrop Intents which are broadcast by a legitimate app. The malicious app can prevent the intended receiver from obtaining data (denial of service attack). In an activity hijacking attack, a malicious app intercepts an Intent by masquerading as the legitimate user interface (activity), and thus harvest the data contained in the Intent. This is a form of phishing attack where the user believes they are entering data into a legitimate user interface, however it is a malicious interface designed to masquerade as the legitimate interface. Unlike the Windows operating system, Android does not display the name of the currently running application, so it is thus susceptible to this type of phishing attack.
Service hijacking occurs where a malicious app masquerades as a legitimate Android service. When a legitimate app sends data to the service, data can be harvested through service hijacking. In an intent spoofing attack, the malicious app sends an Intent to the target app in order to get it to take some action.
Android developers need to engineer built-in security into their applications to prevent these attacks described here which arise from the nature of Android’s message passing system. If an app is required to send or receive sensitive data it should specify the intended recipient or expected source of the Intent to prevent interception of the data by malicious apps. Permissions can also be utilised by the developer to protect the data.
Applications which deal with potentially sensitive data should be security tested to ensure there is no leakage through the Android message passing system. A tool such as ComDroid can be used for this. More information is available here.
Tagged: mobile
Dave Waterson on Security 
[…] As usual, one of the downsides of flexibility is increased security risk. This is compounded in the Android system by rules that will automatically export an Activity to receive Intents from any app, when certain conditions are met. If an Activity is exported for any app to call, it is possible for apps to send malicious Intents to that Activity. Many Intents are meant to be public and others are exported as a side effect. Either way, at the very least, it is necessary to sanitize the input that an Activity receives. On the other side of the issue, if an app is trusting another app to provide a sensitive service for it, then malware can pose as the trusted app and receive sensitive data from the trusting app. An app does not need to request any permissions in order to set itself up as a receiver of Intents. […]