An Android security flaw has been discovered, that would allow malicious apps to change icons on your home screen, so they opened malware or phishing sites. Google has issued a patch to fix the problem, but users will have to wait for their carriers to deliver it to their devices.
The security hole was discovered by FireEye mobile security researchers. They found that an app with normal permissions in Android could ‘probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user.’
Android has five permission levels, normal, dangerous, system, signature and development. ‘Normal’ permissions are given at installation, and do not require you to grant the app any further access to your phone. ‘Dangerous’ and other permissions need your confirmation before continuing.
The FireEye team found that certain ‘normal’ permissions have dangerous implications. They could be manipulated to replace legitimate icons on your device with fakes that lead you to malware or phishing sites that try to trick you into giving your login details and other personal data.
Google responded quickly, but users will have to wait until their carriers have pushed the update to them. As always, be careful if any app or website is asking you for login details unusually.
Source: FireEye
