Security expert warns hackers can attack Android

BOSTON Fri Aug 12, 2011 6:16pm EDT

The Google home page is shown on Google's latest version of the Android operating system, Honeycomb, on a Motorola Xoom tablet device following a news conference at Google Headquarters in Mountain View, California February 2, 2011. REUTERS/Beck Diefenbach

The Google home page is shown on Google's latest version of the Android operating system, Honeycomb, on a Motorola Xoom tablet device following a news conference at Google Headquarters in Mountain View, California February 2, 2011.

Credit: Reuters/Beck Diefenbach

Related Topics

BOSTON (Reuters) - A mobile security expert says he has found new ways for hackers to attack phones running Google Inc's Android operating system.

Riley Hassell, who caused a stir when he called off an appearance at a hacker's conference last week, told Reuters he and colleague Shane Macaulay decided not to lay out their research at the gathering for fear criminals would use it attack Android phones.

He said in an interview he identified more than a dozen widely used Android applications that make the phones vulnerable to attack.

"App developers frequently fail to follow security guidelines and write applications properly," he said.

"Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message."

He declined to identify those apps, saying he fears hackers might exploit the vulnerabilities.

"When you release a threat and there's no patch ready, then there is mayhem," said Hassell, founder of boutique security firm Privateer Labs.

Hassell said he and Macaulay alerted Google to the software shortcomings they unearthed.

Google spokesman Jay Nancarrow said Android security experts discussed the research with Hassell and did not believe he had uncovered problems with Android.

"The identified bugs are not present in Android," he said, declining to elaborate.

It was the first public explanation for the failure of Hassell and Macaulay to make a scheduled presentation at the annual Black Hat hacking conference in Las Vegas, the hacking community's largest annual gathering.

They had been scheduled to talk about "Hacking Androids for Profit." Hundreds of people waited for them to show up at a crowded conference room.

Hassell said in an interview late on Thursday the pair also learned -- at the last minute -- that some of their work may have replicated previously published research and they wanted to make sure they properly acknowledged that work.

"This was a choice we made, to prevent an unacceptable window of risk to consumers worldwide and to guarantee credit where it was due," he said.

A mobile security researcher familiar with the work of Hassell and Macaulay said he understood why the pair decided not to disclose their findings.

"When something can be used for exploitation and there is no way to fix it, it is very dangerous to go out publicly with that information," the researcher said. "When there is not a lot that people can do to protect themselves, disclosure is sometimes not the best policy."

Hassell said he plans to give his talk at the Hack in The Box security conference in Kuala Lumpur in October.

(Reporting by Jim Finkle; editing by John Wallace and Andre Grenon)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
tangogo68 wrote:
Thank goodness that someone is helping Android users, while Google is too busy counting their advertising revenues.

Aug 12, 2011 6:40pm EDT  --  Report as abuse
mykldean wrote:
Oh my god no! People can hack android? NEWS FLASH: People can hack absolutely ANYTHING that connects to the internet.
It’s ok, just breathe… Android has not been widely hacked in any way shape or form. It could be, but it IS NOT NOW. Smartphones are yet to be widely exploited by hackers but it seems as though they “might” in the future, so just don’t be stupid. That’s all.

Aug 13, 2011 12:00am EDT  --  Report as abuse
kain1983 wrote:
smart phone would become become next generation Pc, so there is no need to be suprised that any kind of cell os could be hacked or virused.it just the inevitable trend.

Aug 15, 2011 5:15am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.