Together with their colleague Stephan Huber from Fraunhofer SIT, Steven Arzt and Siegfried Rasthofer from the SSE group discovered a security issue present in all current versions of Android. As Google now confirmed, the attack vector allows to forbid the future installation of arbitrary Android apps at the choice of the attacker. For instance, it can be used to forbid the installation of the facebook app for basically the entire lifetime of the mobile device until a factory reset has been performed or the issue is fixed manually which, however, requires root access to the device and some expertise in the Android OS. Update: The attack itself requires no root access.
We tested the attack on Android Version 4.x and 2.3.6. It is likely that this attack affects ALL Android versions, though. We wish to note, though, that this vulnerability was discovered under lab conditions, and that there is currently no indication that the vulnerability is exploited in the wild.
We are currently in contact with the Android security team to fix this problem. A detailed explanation of the attack will be published after a fix is available.