Two new vulnerabilities have been found by the same team of Jon Oberheide and Zach Lanier, who had earlier put an app in the Android Market which proved that malicious developers could install additional applications without a user’s knowledge. Back then, the issues were resolved quickly by Google, but now the duo might just put Google working for fixes for the OS once again.
The first bug is a permission escalation vulnerability where it affects all Android handsets, regardless of OS version. The bug allows attackers to install additional arbitrary applications with arbitrary permissions, without ever asking the user to permit such installations. Once implemented, attackers can install anything else they want no matter what, accessing data such as call records, texts, web browsing history, and media. The second bug affects only the Samsung Nexus S, and allows the attacker gain root access and then gain full control over the handset.
Google might want to keep an eye out for such security mishaps. One security issue can lead to other attackers developing similar attacks in the future, which should be a big concern for the company right now.