In addition to recently getting a Droid 2, I purchased a Motorola H17txt Bluetooth headset. When used with a Blackberry or an Android based phone you can download and install an application called MotoSpeak that will read text messages and emails through the H17TXT. Before you go looking for such a headset be warned, there is an H17 that costs a lot less than the H17txt and MotoSpeak isn’t supported on that headset. Oh yeah, and MotoSpeak is a buggy app too.
The H17TXT, when used with many Android based phones, seems to be randomly launching the music player and potentially other applications. Some people have reported that it starts playing your last play list. In my case sometimes when I turn on the headset it starts playing my ringtone repository and sure enough the music player application is open. At least for me the behavior is not consistent. Usually the headset seems to function normally. Some people have reported that when they receive a text message it launches the music player. One has to wonder if a specially crafted SMS might be able to exploit the bug in the MotoSpeak app to do other things. I have not seen any reports of such behavior on the Blackberry, however sometime today the app stopped reading my text and email messages to me when I receive them on my Blackberry.
It is important to remember that when you install an Android application it tells you what the permissions it requires are, but it does not tell you what the application will do with those permissions. An application, such as MotoSpeak, that has access to your address book, can read and send SMS messages and read emails can do an awful lot. If the application can be abused an attacker can obtain confidential information.
Just as third party applications, such as Adobe Reader and Flash Player, are frequently attacked to install malware on PCs, expect to see third party applications on the Android platform attacked in the future as the Android platform gains popularity. Currently the attacks I know of have been limited to rogue applications that users have installed, but I don’t believe this will be the only attack vector we will see in the future.
By the way… The Droid 2 has Adobe Flash Player installed for the browser… hmmm…
Director of Education
Author ESET Research, We Live Security