"Weirdest permissions" include disabling lock screens and recording audio.
Researchers have recently uncovered two unrelated threats that have the potential to turn some Android devices into remotely controlled bugging and spying devices.
The first risk, according to researchers at antivirus provider Bitdefender, comes in the form of a software framework dubbed Widdit, which developers for more than 1,000 Android apps have used to build revenue-generating advertising capabilities into their wares. Widdit includes a bare-bones downloader that requests a host of Android permissions it doesn't need at the time of installation.
"These permissions are not necessarily used by the SDK [software development kit], but requesting them ensures that anything introduced later in the SDK will work out of the box," Bitdefender researchers Vlad Bordianu and Tiberius Axinte wrote in a blog post published Tuesday. "Among the weirdest permissions we saw are permissions to disable the lock screen, to record audio, or to read browsing history and bookmarks."
Another odd privilege acquired by apps that bundle Widdit: they can execute specific code when a device reboots, receives a text message, or places a call, or when an app is installed or uninstalled. What's more, Widdit uses an unencrypted HTTP channel to download application updates, a design decision that allows attackers on unsecured Wi-Fi networks to replace legitimate updates with malicious files. The man-in-the-middle vulnerability isn't unique to Widdit. In September, researchers said that many mostly older Android apps are also susceptible. Bitdefender has identified about 1,640 apps in the official Google Play app marketplace that included the framework. So far, only 1,122 of them have been removed.
An unrelated malware family discovered by researchers from Lookout Security, another provider of Android threat detection software, has the ability to make phone calls with no user interaction, a capability the firm has never seen before. At the moment, MouaBad.p appears to use that capability to dial pricey premium numbers, but there's nothing stopping its developers from using it to snoop on infected users, particularly given the stealth built into the app.
"In addition to never-before-seen functionality, MouaBad.p is particularly sneaky and effective in its aim to avoid detection," the Lookout researchers wrote. "For example, it waits to make its calls until a period of time after the screen turns off and the lock screen activates. MouaBad.p also end[s] the calls it makes as soon as a user interacts with their device (e.g. unlocks it)."
Fortunately, the risk of most Android users getting infected by MouaBad.p is low since it's found mostly in Chinese-speaking regions and works only on devices running Android version 3.1 or older. Furthermore, the command and control servers that infected devices connect to weren't responding at press time. Still, MouaBad.p—which appears to take initial hold of devices through a "dropper" app that loads a hidden payload in the background—gives an idea of the type of stealth and growing sophistication possible in mobile-based malware.
As always, Ars advises readers to think long and hard before changing default Android settings restricting the installation of apps available in marketplaces other than Google Play. Android users should also consider using an antimalware app from a reputable provider.