Two new vulnerabilities have been pinpointed in Google’s Android platform by researchers. According to the researchers Jon Oberheide and Zack Lanier, while Google has been informed of the flaws for more than a month now, these Android bugs remain unpatched.
The first Android vulnerability is a permissions escalation bug that may allow attackers to install applications with arbitrary permissions without user approval. Attackers may be able to exploit this flaw to gain privileges and perform code execution. According to the researchers, it is important to note that is vulnerability can be tapped by exploiting existing applications. This bug is known to affect all Android handsets, and is not dependent on the Android OS version.
The second flaw is a Linux kernel privilege escalation bug that affects particular Android device models, including the Google Nexus S. Using this bug, an attacker may be able to gain root control over an Android device using a terminal application. This bug is present even in the latest Android kernel, and can be exploited by an unprivileged application to escalate privileges and gain full control of the device.
The researchers have posted a proof of concept video on their website. Previously, the duo was known for their Angry Birds proof-of-concept application, which they used to demonstrate how attackers could surreptitiously install malware without the knowledge or consent of users.