Security Researchers Warn Of Android Design Flaw

Security researchers are warning that Google’s Android operating system contains a design flaw that could allow online thieves to steal data. So said Sean Schulte, a SSL developer at Trustwave, and Nicholas Percoco, the senior vice president and head of SpiderLabs at Trustwave.

The design flaw is said to be serious because it could be used to steal data via phishing (posing as a  trustworthy entity in order to obtain sensitive information) or by advertisers using those annoying pop-up ads.

Focus Stealing

For example a hacker could create an apparently legitimate Android app which could substitute a legitimate bank app log-in page with a fake banking app, warned Nicholas Percoco in an interview with CNET. He was speaking to the publication ahead of his presentation on the research at the DefCon hacker conference in Las Vegas.

The way Android works at the moment is that, if an app wants to flag a notification to a user who is already using another app, an alert appears in the notification bar in the top of the screen. But, the researchers say, there is an API (application programming interface) in Android’s Software Development Kit (SDK) that can be used to push a particular app to the foreground instead.

“Android allows you to override the standard for [hitting] the back buttons,” Sean Schulte, was quoted as saying. “Because of that, the app is able to steal the focus and you’re not able to hit the back button to exit out.”

The two researchers have even come with a catchy name for the vulnerability, after they dubbed it the “Focus Stealing Vulnerability”.

And to prove how potentially serious the issue is, the researchers created a proof-of-concept tool which is apparently a game app. However, the app also triggers fake displays for Facebook, Amazon, Google Voice, and the Google email client. The tool installs itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots, Percoco said.

Pop-Up Vulnerabilities

A demo of the flaw in action apparently showed a user opening up the app and seeing the log-in screen for Facebook. The screen then experiences a barely noticable blip and a fake screen replaces the legitimate one.

According to the researchers, this design flaw means that malious developers can create targeted pop-up advertisements. These ads could be merely annoying, like most common pop-ups, but they could also be targeted to pop-up an ad when a competitor’s app is being used. “So the whole world of ads fighting with each other on the screen is possible now,” said Percoco.

Apparently the two researchers notified Google of their findings a number of weeks ago. Google reportedly acknowledged there was an issue and said it was working out a way to address it without breaking any functionality of legitimate apps that may be using it.

Android Flaws

Google will be well aware that the open nature of Android does pose security concerns for some users. Indeed a new report from Lookout Mobile Security recently warned that Android users have plenty to be wary of on the security front.

Its new 2011 Mobile Threat report found that Android handset users are 2.5 times more likely to be affected by malware today than they were six months ago. It also found that three out of 10 Android gadget owners are also likely to encounter a Web-based threat on their device each year, with the number of malware-infested Android apps soaring from 80 apps in January to more than 400 apps through June 2011.

In early March, Google pulled more than 50 apps from its Android market that were said to be poisoned with malware.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • Ian Thain, Senior Evangelist at Sybase, comments:

    “Unlike Apple, the Android mobile platform has a user-based approach to security. While on the plus side this helps fuel an active application marketplace, the marketplace itself has been criticised for the low level of monitoring by Google. When combined with the fact that there’s a lower barrier to entry for developers to create apps, there’s potentially a much greater risk of one of them harbouring malware that enterprises don't want anywhere near their corporate data.

    “To counter this risk, clearly mobile device management is key - an undertaking made more difficult by the advent of the BYOD (bring your own device) culture in business. However, to rely on device management alone is not enough. We believe mobile companies should move towards developing an ‘enterprise app store,’ whereby these security issues can be addressed more effectively, while ensuring the user experience parallels that of a consumer app store.”

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago