Researchers have found two new vulnerabilities in Android operating system. According to researchers Jon Oberheide and Zach Lanier some malicious apps could get installed on Android devices without taking the users’ permission.
The researchers created a proof of concept app which posed as an expansion pack for Angry Birds and once it was in the device it installed three more apps without asking users for permission. The exploit also monitored text messages, contacts and location information which were then transmitted to a remote server.
The second bug, known as teamjoch, lives in the Linux kernel where Android itself comes from and it allows even those apps that have limited permissions, full control over the device.
The researchers said, “The second bug is a Linux kernel privilege escalation that affects a significant subset of Android devices…. we’re currently an unprivileged user with the unique identification of the terminal app. If we run teamjoch exploit, our privileges are instantly escalated and we’re presented with a root shell. An unprivileged application can exploit this vulnerability to escalate privileges and gain full control over the device.”