If the Carrier IQ saga and Wikileaks spyware docs weren’t enough mobile insecurity for you, the hits keep coming. Scientists from NC State have identified an exploit in select Android phones that allows an app to get permissions to do nearly anything: record calls, take pictures or video, log SMS, and track locations.The researchers found security holes in phones from HTC, Samsung, Motorola, and Google — including the EVO 4G, Nexus One, Legend, Epic 4G, and Nexus S. They say the glitch relates to manufacturer supplied enhancements; this could refer to custom UIs like HTC Sense and Samsung Touchwiz, but that wouldn’t apply to the vanilla Nexus phones.The team created a custom diagnostic app, Woodpecker, which tested the permissions vulnerabilities on eight phones. The least secure was the EVO, which leaked camera, location, SMS, and audio data. The Legend logged six leaks, with the Epic 4G tallying three. The Nexus One and Nexus S leaked one permission. The worst perpetrators are well over a year old, but many customers still use them under their original contracts.The frightening part is that, before going public with the findings, the NC State scientists approached the manufacturers and were largely ignored. Google and Motorola confirmed the holes, but Samsung and HTC haven’t given the researchers the time of day. As this is an enormous security threat, the lackluster response is beyond disappointing.Skeptics can see the egregious exploits demonstrated in the following video. This isn’t for the faint of heart, as it demonstrates the app recording audio and sending text messages without user knowledge or consent:via The Register and Daring Fireball
"Android exploit allows unauthorized app to record audio take pictures send SMS"