
Android no longer reveals app permission changes in automatic updates - cpeterso
http://arstechnica.com/security/2014/06/android-no-longer-reveals-app-permission-changes-in-automatic-updates/
======
brucehart
I think one day in the near future, there will be a major malware attack on
mobile phones. There are few checks that go into updates on mobile phones. All
someone needs to do is find an app that has a large install base and put
together a malicious update package. Many popular apps are written by
hobbyists and one-man operations. An attacker could just pay off the original
authors or find some sort of simple backdoor (such as an author accidentally
uploading their account information to a public repo).

The damaging code could be obfuscated and compiled into a binary module. In
order to prevent Google (or Apple) from shutting down updates before it
reaches too many people, the malware payload could trigger at a certain time
or based on a network command once the update is installed everywhere.

Imagine someone flooding Verizon's network with traffic at a coordinated time
and bringing the network down. Or rending a large percentage of iOS products
inoperable during a WWDC keynote. There would be a lot of money to be made by
shorting the stock of the affected companies.

