Researchers have warned of a flaw in Android that allows fake pop-ups to appear in legitimate apps
Security researchers are warning that Google’s Android operating system contains a design flaw that could allow online thieves to steal data. So said Sean Schulte, a SSL developer at Trustwave, and Nicholas Percoco, the senior vice president and head of SpiderLabs at Trustwave.
The design flaw is said to be serious because it could be used to steal data via phishing (posing as a trustworthy entity in order to obtain sensitive information) or by advertisers using those annoying pop-up ads.
For example a hacker could create an apparently legitimate Android app which could substitute a legitimate bank app log-in page with a fake banking app, warned Nicholas Percoco in an interview with CNET. He was speaking to the publication ahead of his presentation on the research at the DefCon hacker conference in Las Vegas.
The way Android works at the moment is that, if an app wants to flag a notification to a user who is already using another app, an alert appears in the notification bar in the top of the screen. But, the researchers say, there is an API (application programming interface) in Android’s Software Development Kit (SDK) that can be used to push a particular app to the foreground instead.
“Android allows you to override the standard for [hitting] the back buttons,” Sean Schulte, was quoted as saying. “Because of that, the app is able to steal the focus and you’re not able to hit the back button to exit out.”
The two researchers have even come with a catchy name for the vulnerability, after they dubbed it the “Focus Stealing Vulnerability”.
And to prove how potentially serious the issue is, the researchers created a proof-of-concept tool which is apparently a game app. However, the app also triggers fake displays for Facebook, Amazon, Google Voice, and the Google email client. The tool installs itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots, Percoco said.
A demo of the flaw in action apparently showed a user opening up the app and seeing the log-in screen for Facebook. The screen then experiences a barely noticable blip and a fake screen replaces the legitimate one.
According to the researchers, this design flaw means that malious developers can create targeted pop-up advertisements. These ads could be merely annoying, like most common pop-ups, but they could also be targeted to pop-up an ad when a competitor’s app is being used. “So the whole world of ads fighting with each other on the screen is possible now,” said Percoco.
Apparently the two researchers notified Google of their findings a number of weeks ago. Google reportedly acknowledged there was an issue and said it was working out a way to address it without breaking any functionality of legitimate apps that may be using it.
Google will be well aware that the open nature of Android does pose security concerns for some users. Indeed a new report from Lookout Mobile Security recently warned that Android users have plenty to be wary of on the security front.
Its new 2011 Mobile Threat report found that Android handset users are 2.5 times more likely to be affected by malware today than they were six months ago. It also found that three out of 10 Android gadget owners are also likely to encounter a Web-based threat on their device each year, with the number of malware-infested Android apps soaring from 80 apps in January to more than 400 apps through June 2011.
In early March, Google pulled more than 50 apps from its Android market that were said to be poisoned with malware.