Android Exploit Allows Phishing, Google say Desired Capability
An exploit found in Android opens the door for Phishing.
Researchers at internet security company Trustwave revealed a
potential design flaw in the Android operating system
that could allow unsolicited pop-up apps, or even secure data
The exploit was revealed at the Defcon conference in Las Vegas
by Trustwave employees Sean Schulte and Nicholas Percoco, who
explain that the problem lies with an application programming
interface in the mobile OS that can be used to identify a currently
in use app and push another app to the front, giving it focus.
Using this method, developers can create apps that can push
their way to the front, much like the dreaded pop-up ad we all know
and hate. The news gets worse as Schulte points out “Android allows
you to override the standard for the back buttons,” with Percoco
adding “Because of that, the app is able to steal the focus and
you’re not able to hit the back button to exit out”.
Apps forcing their way to the front is annoying at best, but
being able to override the phones back button makes it even worse
by stopping users from easily getting out of the suspect screen.
Because these interruptions can be targeted, it leaves the door
wide open for data phishing.
The researchers gave a demonstration at the event by creating a
game app that contained dummy log-in screens for popular sites such
as Facebook, Amazon, and Google email; this could of course go on
to include popular banking apps and so on. As the tool registers
itself as a service, it even returns after reboot just like full
blown Windows Malware. All of this can be achieved with legitimate
tools within the Android SDK without requesting suspicious
Google have been contacted regarding the issue, and the latest
response from a spokesperson there is that switching between
applications is “desired capability” and that to date they haven’t
seen any malicious use of it, and any apps that are found to do so
will be removed from the app store.