“The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn’t the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users’ phones as well,” Dennis Fisher reports for threatpost.
“Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users’ phones,” Fisher reports. “‘I don’t know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it’s easy to have the install mechanism too,’ Oberheide said in an interview. ‘I don’t know if they’ve used it yet.'”
“Many, if not most, Android owners likely had no idea that the REMOVE_ASSET function existed, and Google’s use of it generated quite a bit of publicity and concerns about privacy and security for Android owners. However, Oberheide, the co-founder of startup Scio Security and a PhD candidate at the University of Michigan, said that wasn’t nearly as interesting as the other half of the equation,” Fisher reports. “‘Now, the Android platform not only allows for the removal of applications remotely via the REMOVE_ASSET intent, but also allows for the installation of new applications via the INSTALL_ASSET intent. If some people are upset that Google retains the ability to kill applications remotely (I personally prefer the potential security gains of the functionality), I fear what they’d think of the INSTALL_ASSET feature,’ he wrote in a blog post explaining his research and the removal and install features.”
Full article here.
MacDailyNews Take: Remotely installing apps without the users’ permission or knowledge? Replace Google with Apple and imagine the furor.
[Attribution: Slashdot. Thanks to MacDailyNews Reader “G.” for the heads up.]