A Novel Attack against Android Phones

In the first quarter of 2011, Android has become the top-selling operating system for smartphones. In this paper, we present a novel, highly critical attack that allows unprompted installation of arbitrary applications from the Android Market. Our attack is based on a single malicious application, which, in contrast to previously known attacks, does not require the user to grant it any permissions.

💡 Research Summary

The paper titled “A Novel Attack against Android Phones” by Michael Backes, Sebastian Gerling, and Philipp von Styp-Rekowski (affiliated with Saarland University and MPI‑SWS) announces a critical vulnerability discovered in early 2011, when Android had just become the dominant smartphone operating system. According to the abstract, the authors claim to have devised a new attack that enables the unprompted installation of arbitrary applications from the Android Market (now Google Play) using a single malicious application that requires no permissions from the user.

The manuscript is deliberately sparse because the authors followed a responsible disclosure process. In the “Responsible Disclosure” section they state that they reported the vulnerability to Google on June 20, 2011, and that, in order to give Google time to develop a fix, they removed the technical core of the paper, leaving only a generalized title and abstract. The document therefore serves primarily as a timestamp of discovery. To preserve evidence of the original report, the authors provide the SHA‑512 hash of the full report as it was sent to Google:

051426b1 794e3635 44893b71 23ba3d15c5d878a9ff736162b85479d063a
86940fe2 d6280774 fd98989c ce8b1628d5d9428d0691ee4ffcc2c07da82
31ca79af 5d1

Because the substantive sections (attack description, experimental validation, mitigation strategies) have been excised, the paper does not contain concrete code, API calls, or proof‑of‑concept details. Nonetheless, the claim itself is noteworthy: a malicious app that declares zero permissions can somehow trigger the Market client to download and install a second, arbitrary app without any user interaction. This contradicts the fundamental premise of Android’s permission model, which assumes that any operation capable of affecting other applications or the system requires explicit user consent.

From a technical standpoint, several plausible vectors could have been exploited in the 2011 Android ecosystem. Early versions of the platform exposed internal system services such as PackageManager.installPackage() to applications that held the INSTALL_PACKAGES permission. If the Market client (or a related service) accepted installation requests via public intents or broadcast messages without adequately checking the caller’s identity, a permission‑less app could potentially craft a malicious intent that the Market would honor. Another possibility is that the Market’s own API for “install from market” was insufficiently protected, allowing any app to invoke it with a package name and let the Market handle the download and installation silently. The presence of weak signature verification or the ability to spoof the Market’s internal “install” flow could also have contributed.

If such an attack were feasible, the impact would be severe. An attacker could distribute adware, spyware, or even a full‑blown trojan that gains elevated privileges after the initial silent installation. Because the user never sees a permission dialog, the attack would be invisible to the average consumer, leading to data exfiltration, financial fraud, or device bricking. Moreover, the attack could be chained: the first payload could download additional malicious components, establish a command‑and‑control channel, or modify system settings, thereby amplifying the threat surface.

The timing of the disclosure is significant. In mid‑2011 Android was rapidly expanding, but many devices still ran versions prior to Android 4.0 (Ice Cream Sandwich). Those releases lacked the runtime permission model introduced later, and the Market client was less hardened against inter‑process abuse. The authors’ decision to report responsibly and provide a cryptographic hash demonstrates good security research practice, ensuring that Google could verify the report’s authenticity while preventing premature public exploitation.

Since the original paper’s core content is unavailable, the security community cannot independently verify the exact mechanism. However, the incident likely contributed to subsequent hardening of the Android ecosystem. Google introduced several mitigations in later releases: stricter checks on intents targeting the Play Store, the requirement that only system‑signed apps can invoke installPackage without user interaction, and the addition of Play Protect, which scans apps before installation. The permission model itself evolved to include runtime prompts for dangerous permissions, making it harder for a zero‑permission app to perform privileged actions.

In summary, the paper serves as a historical record of a potentially high‑impact vulnerability that leveraged a flaw in the interaction between a permission‑less malicious app and the Android Market client. While the detailed exploit is not disclosed, the claim underscores the importance of rigorous validation of inter‑app communication pathways, especially in a platform as widely deployed as Android. Future work should aim to reconstruct the attack (e.g., by analyzing archived Android source code from the era), assess whether remnants of the vulnerability persist in custom ROMs or legacy devices, and develop defensive patterns that can be applied to other mobile ecosystems.