Security researchers have uncovered a flaw in the way Android is implemented on many handsets, making it possible for attackers to to record phone calls, send SMS messages and access user data.
The computer scientists from North Carolina State University tested handsets from several manufacturers, including Samsung, HTC and Motorola and were “surprised to find out these stock phone images do not properly enforce the permission-based security model”, they reported in a paper.
In the absence of an apps vetting process, Android phones rely on a permission-based security model that requires each application to explicitly request permissions before it can be installed.
According to the researchers, they used "interprocedural data flow analysis" techniques to expose possible capability leaks where an untrusted app could gain unauthorised access to sensitive data or privileged actions.
Using a tool dubbed Woodpecker, the researchers found that of the 13 permissions run through the process, 11 of them could be exploited, with one individual phone leaking up to eight permissions.
“These leaked capabilities can be exploited to wipe out the user data, send out SMS messages to premium numbers, record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission,” the researchers said.