08
Aug
26-Android-security

Every year, Defcon brings about some new concepts, hacks, vulnerabilities, and other digital tomfoolery. Sometimes it's all in good fun, but other times it's all too scary, which happens to be the case with a new class of Android malware that could allow for phishing attacks and pop-up ads alike.

Thanks to a design flaw in Android, there is a "feature" that allows an application to steal focus and pull itself into the foreground, bypassing the notification system entirely. Even more, the app can disable the use of the 'back' button to return the previously opened application, nearly locking you in to its interface.

Now, while this could be used as a legitimate feature in some apps, the negative aspects of such options far outweigh the good. In the example given at Defcon, a game was written with embedded phishing apps that would randomly steal focus -- apps made to look like Facebook, Amazon, Google Voice, and GMail. At this point, I'm sure you can already see where this is going; if an unsuspecting user sees a familiar interface pop into the foreground asking for sensitive data, then what reason would he or she not have to input their information? While the effects of having login credentials for Facebook or Email stolen can be troubling, consider what could happen if this malware was made to replicate that of a common bank app? The results could be devastating.

Naturally, Google responded to this finding, nearly brushing it off as if it were nothing.

Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven't seen any apps maliciously using this technique on Android Market and we will remove any apps that do.

Not happy with that retort, the researchers that discovered this potential threat fired back with a solid response:

Application switching is not the issue. The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app without the user giving it permission to do so. We also don't see how they could determine the difference between a malicious app or a legitimate one since they would both look almost identical until a user reports it to them as malicious. The 'wait until an app is reported bad before removing' stance is dangerous and will likely prove out to be a fruitless effort as attackers could post apps much faster than Google could identify and remove them from the Market.

Personally, I have never had an app steal the foreground in this manner, but moving forward, I guarantee that I will be wary of any app that utilizes this feature -- regardless of how legitimate the request seems.

[CNET; Thanks @protozeloz]

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, and musician. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6- or 7-string, or watching The Texas Chainsaw Massacre on repeat.

  • http://www.jaxidian.org/update/ Jaxidian

    Handcent and many other SMS apps with "Text Message Popup" windows do this type of "stealing focus". I definitely get how this could be desirable, but I moreso understand that this is horribly dangerous!

    • http://bit.ly/velazcod velazco

      Exactly, and that is why POP-UP notifications shouldn't be allowed on ANY application. If you intrusive want pop-ups, go get an iPhone.

      • NolF

        I thought android was about choice and options. Perhaps a more suitable approach would make "stealing foreground focus" a permission mentioned when installing/updating an app.

  • rascalking

    A link to the actual demo or a more technical breakdown of the supposed exploit would be helpful. Otherwise it just sounds like an app with a deceptively-formatted activity that triggers randomly and disables the back button.

  • eleazar

    I don't have a problem at all with this functionality. I'd much rather have the option of using apps like Handcent to increase the functionality of my device, than for Google to remove the feature entirely because it could be used for malicious purposes.

  • Bazar6

    Any app that is a knockoff of another, such as a dev called byuvildsaf building and submitting an app called Bank of America shouldn't be allowed in the market in the first place... course then theres the bad part about side-loading an app.

    But those people I've encountered who side-load are little more tech savvy anyway, and know what to look for. Just don't download apps like "Hot Asian Chicks" and you'd be pretty good.

  • John

    I think it's funny that people have been saying it's just a Windows problem for years while there were those of us responding that all OS's are vulnerable and it's a issue of market share and opportunity cost for hackers. I think this proves that case as Android malware skyrockets.

  • http://WilliamPenton.com Nexxuz

    I think that if the ability to disable the back button was removed on pop-ups, then all of this could be prevented as well.

  • J Rush

    An interesting article indeed. It's the fact the Google brushed it off that concerns me. If it is indeed a "flaw" I would most definitely want to see it fixed...

    • http://N/A Brandon

      Deffinently....
      Google needs to try to protect their consumers.

      • http://schpydurx.livejournal.com ProfessorTom

        Oh, come on! "Openness trumps design any day!" Just patch the bug yourself.

        • http://www.androidpolice.com chin foot

          What does that supposed mean?

        • me

          chin foot: ProfessorTom is the resident "pro-Apple" troll around here.

  • http://N/A Brandon

    You said you'll remove the apps when found on the App Market...
    What about Amazon App Store?
    I've noticed my phone is having some issues since I starrted using the app store....

  • demus

    I love running multiple apps ; it's 1 of the strength of android.

  • John

    I fail to see how this is a flaw. The toddler app was doing this since day 1 and many apps use this to add more functionality like the popup notifications (usually you can decide via settings). If Google starts to prevent everything that *MIGHT* be malicious they could very well shut down the whole project. This is hardly a news and I have the feeling apple is feeding such trolls with hard cash to bullshit the crowd.

    • http://schpydurx.livejournal.com ProfessorTom

      So now Defcon is just paid Apple shills pointing out security flaws on all non-Apple platforms?