Security Experts Identify Android Design Flaw
Android Exploit Allows Phishing, Google say ‘Desired Capability’
Researchers at internet security company Trustwave revealed a potential design flaw in the Android operating system that could allow unsolicited pop-up apps, or even secure data phishing.
The exploit was revealed at the Defcon conference in Las Vegas by Trustwave employees Sean Schulte and Nicholas Percoco, who explain that the problem lies with an application programming interface in the mobile OS that can be used to identify a currently in use app and push another app to the front, giving it focus.
Using this method, developers can create apps that can push their way to the front, much like the dreaded pop-up ad we all know and hate. The news gets worse as Schulte points out "Android allows you to override the standard for the back buttons," with Percoco adding "Because of that, the app is able to steal the focus and you're not able to hit the back button to exit out".
Apps forcing their way to the front is annoying at best, but being able to override the phones back button makes it even worse by stopping users from easily getting out of the suspect screen. Because these interruptions can be targeted, it leaves the door wide open for data phishing.
The researchers gave a demonstration at the event by creating a game app that contained dummy log-in screens for popular sites such as Facebook, Amazon, and Google email; this could of course go on to include popular banking apps and so on. As the tool registers itself as a service, it even returns after reboot just like full blown Windows Malware. All of this can be achieved with legitimate tools within the Android SDK without requesting suspicious permission levels.
Google have been contacted regarding the issue, and the latest response from a spokesperson there is that switching between applications is "desired capability" and that to date they haven't seen any malicious use of it, and any apps that are found to do so will be removed from the app store.