It redirects users to phishing websites or malware-serving websites without alerting them.
Security researchers at FireEye have uncovered a new vulnerability in Android that allows hackers to use malicious apps to replace original home screen icons with fake ones.
Android Open Source Project (AOSP) classifies Android permissions, which is the requests that apps make in order to work, into protection levels such as ‘normal’, ‘dangerous’, ‘system’, ‘signature’ and ‘development’.
According to the security firm, the latest Android 4.4.2 OS displays only the dangerous permissions if an app requests both dangerous and normal permissions, while it does not display normal permissions to users even upon request.
Researchers said in a statement that some of the "normal" permissions are found to have dangerous security impacts.
"Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites," they added.
"The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user."
Hackers can take on Android home screen icons using two permissions includingcom.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission.WRITE_SETTINGS, which enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification.
The vulnerability also influences devices using non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2.