The permissions issue could allow a malicious app to alter legitimate home screen icons.
The permissions issue could allow a malicious app to alter legitimate home screen icons.

Analysts discovered an Android app permissions issue, which could ultimately allow a crafty saboteur to redirect users to spurious sites using malicious apps.

In a Monday blog post, FireEye researchers detailed the problem: an inadequate security protocol affecting Android platforms 4.1 to 4.4.2, where some app permissions, categorized as “normal,” open users' data to dangerous exploits.

FireEye also found that devices using non-Android Open Source Project [ASOP] launchers, such as Nexus 7 running CyanogenMod 4.4.2, Samsung Galaxy S4 running Android 4.3, and HTC One running Android 4.4.2., were impacted by the issue.

In a proof of concept attack scenario, researchers demonstrated how a malicious app with two “normal” permissions was able to modify legitimate home screen icons on users' devices. After doing this, an intruder could orchestrate attacks targeting users' sensitive data. In the attack scenario, researchers showed how victims could be redirected to phishing websites, once they clicked modified icons. 

FireEye explained that ASOP uses an app permissions classification process, which will alert users to apps requesting “dangerous” permissions, by requiring their confirmation before users install the app. In contrast, apps asking for “normal” permissions can be downloaded without the added step.

 “…An attacker can still manipulate Android home screen icons using two normal permissions: com.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission.WRITE_SETTINGS,” the blog post said. “These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as ‘normal' since Android 1.x.”

In a Monday email to SCMagazine.com, Hui Xue, a senior engineer at FireEye who co-authored the blog post, said that the company notified Google of the issue last October.

In response, Google replied in February that it had released a patch for its original equipment manufacturers (OEMs) remediating the issue.

Despite the patch's availability, many users still await a fix from their vendors, Xue added.

“Vendors do need to incorporate the patches,” Xue said. “Before updates from vendors, users have to take extra caution when using icons.”

FireEye said that it has not seen any evidence of attempted exploits leveraging the vulnerability.