Vulnerability Found In Android That Allows For Phishing Scams and Pop-up Ads

You hated them on your PC and now those annoying pop-up ads and phishing attempts could find their way into an Android device near you. This year at Defcon 19 (a hacking conference held every year in Las Vegas) a couple of researchers managed to find a vulnerability in Android that could allow for apps in the Android Market to steal a users data via phishing or by be used by advertisers to bring the most annoying idea of the 21st century, pop-up ads.

Apparently, it’s possible for someone to create an app that will display a fake bank app log-in page while the user is using a legitimate banking app. Currently, apps that want to communicate with a user while a different apps is being used can only push an alert to the notification bar. But in the Android Software Development Kit (SDK) there is an application programming interface that allows for an app to be pushed into the foreground while another is being used.

The guys over at Trustwave have named this issue as Focus Stealing Vulnerability. Sean Schulte, an SSL developer at Trustwave explained how, “Android allows you to override the standard for (hitting) the back buttons.” Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave further explained that, “Because of that, the app is able to steal the focus and you’re not able to hit the back button to exit out.”

To further expose this issue, the researchers even created a proof-of-concept tool that is a game but also triggers fake displays for Facebook, Amazon, Google Voice and Gmail. They demoed the tool by showing a user opening up a legitimate app and then almost instantaneously, a “fake” login screen for Facebook appears. Percoco further explains, “With this design flaw, game or app developers can create targeted pop-up ads. The ads could be merely annoying, like most pop-ups are, but they could also be targeted to pop up an ad when a competitor’s app is being used.”

If you think you could avoid these apps by simply reading over the permissions page for a particular app, you would be mistaken. This kind of pop-up functionality is found in many legitimate apps and is known as an Activity Service.

Google has addressed this issue by stating the following,

“Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven’t seen any apps maliciously using this technique on Android Market and we will remove any apps that do.”

Nicholos Percoco responded by saying,

“Application switching is not the issue. The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app without the user giving it permission to do so. We also don’t see how they could determine the difference between a malicious app or a legitimate one since they would both look almost identical until a user reports it to them as malicious. The ‘wait until an app is reported bad before removing’ stance is dangerous and will likely prove out to be a fruitless effort as attackers could post apps much faster than Google could identify and remove them from the Market.”

I will now turn this to our readers. How does the potential of pop-up ads and phishing scams coming out of the Android Market sound to you? I’m not so sure Google’s statement is enough peace for me. Do you feel like Google needs to do more to address and further prevent this exposed “Android design flaw?”

[Via Cnet]

Continue reading:




  • RoninX

    Yeah, the first time an app tries to do this, you should be warned, and need to give it permission to proceed.

    Also, I’d put a separate permission for “stealing focus” and “redefining default keys like back.” There may be legitimate reasons for doing both, but I’d like to know that the app is requiring these permissions before installing it.

    • http://profiles.google.com/daniel142005 Daniel Weisinger

      I agree. Imo, you should also be able to revoke certain permissions once the app has been installed. Maybe as a “developer feature” or something, but some apps just have sketchy permission requests. I think Pandora is on that list too, but don’t have my phone near me to check.

      • http://twitter.com/havens1515 Randroid

        If you’re rooted, check out an app called “Permissions Denied.” It allows you to do just that – revoke certain permissions from an installed app.

    • http://beesbuzz.biz/ fluffy

      Android’s input layer actually just treats the back button like any other key, and changing the API to require specific permissions to override that would break every existing application.

    • LeakedDave

      Use home to get out. Back is easily remapped. I could make your back key type the letter W in my app in one line of code.

      Home however can’t be touched easily.

  • Michael Quinlan

    An app like Tasker can detect when a specific app is in the foreground, and do certain things, including launching another app, or itself. This effectively steals focus. While Tasker has a long list of permissions, I don’t see anything like “Activity Service”.

    • zach1919

      That’s because an “Activity Service” doesn’t exist. It’s a stupid phrase made up for this article makes literally no sense. See my other post for an explanation.

      • LeakedDave

        Actually it does. Just not as a permission. It’s built into the framework. Invoking activities is standard Android coding practice.

        • Paul Taylor

          Did you even read Zach’s explanation?

        • zach1919

          No, it doesn’t. I’ve been an Android dev since the start. The term “Activity Service” doesn’t even begin to make sense if you know what Activities and Services are. This article is garbage.

  • http://pulse.yahoo.com/_7O5ABRUQC4XMV4U35MIOT6GMUU Joe

    All more reason I may be going to iphone5

    • Juan Carlos Contreras

      Good bye!!!

    • jawman

      That, and Google still has yet to implement full hardware acceleration. That’s what’s pushing me towards iOS.

      • Dianne Hackborn

        Android 3.0 implements full hardware acceleration. Not that it was actually needed until the large screens like the tablets (window compositing has always been accelerated since 1.0).

        Also drawing on iOS is not “fully hardware accelerated.” Drawing of the UI elements is generally in software; what it does do is use hardware accelerated drawing of sections of the UI for core animation… but at this point most ways you look at it, as of 3.0 Android is at least as hardware accelerated (if not more so) than iOS.

        • http://twitter.com/gamercore Chris Chavez

          Really? Why does Honeycomb’s homescreen chug so much then? Nowhere NEAR as fluid or smooth (60fps) as iPad/iOS =(

          • http://www.ppsmil.com power point

            Possibly because it’s doing more? Widgets, live wallpaper, etc.

            If you put nothing but widgets on a homescreen, you should expect a little bit of slowdown. =P

          • Dianne Hackborn

            Yes it is doing a *lot* more — the wallpaper parallax, a number of visual transparency layers, the lined icon art as icons scroll on and off the screen, etc. And the screen itself has a few more pixels (about 1.3x the pixels).

            The Tegra 2 has enough memory bandwidth to fill the 1280×800 screen about 2.5 times at 60fps. Consider: just compositing the separate app layers (the wallpaper and launcher, the part that has always been hardware accelerated) would involve filling the screen twice, so you couldn’t even draw your changing UI within the launcher (another frame filled at the very best) and still get 60fps.

            So there is a trick used: the hardware has 3 overlays, and if there is not more than 3 windows on screen they can be used instead of having to composite them with the GPU. When on the home screen, 3 windows: wallpaper, launcher, and the system bar. Now we don’t need to use any of the memory bandwidth for compositing, giving us the full 2.5 frames to actually draw the contents of the UI that is changing.

            Another optimization: the wallpaper window, when static, is actually larger than the screen. So it is drawn once, and the parallax is achieved simply by moving the window around. This is moving an overlay (in the optimized case) so again no memory bandwidth needed for it.

            That in the best case gives us 2.5 frames of bandwidth to draw the launcher UI itself. It probably uses about 2 — there is a static image layer on top of the wallpaper, the icons covering much of the screen, and various glows and other visual elements. It gets more complicated when switching in and out of the all-apps list (another visual layer drawn), but some tricks are used to allow it to do 60fps.

            So launcher can do 60fps in the good case: all windows in overlays, static wallpaper. Get out of this case and the frame rate goes down. For example, don’t use a live wallpaper. (This is why at least the Xoom doesn’t ship with the default wallpaper being a live wallpaper). If you start putting other windows on the screen, we start losing the overlays and needing a lot more memory bandwidth. Also the Tegra 2 can’t rotate overlays, so if you are not in the native screen orientation (typically landscape) all of the windows need to be composited by the GPU which blows the memory bandwidth budget.

            Even in that worst case, though, launcher can do 30fps, the frame rate of the original iPad. The variation between 30fps and 60fps does make the slower cases more noticeable, though. (I believe iPad 1 was locked at 30fps and wouldn’t go higher.)

            And applications themselves can generally easily do 60fps, if written well, since they are rarely as visually complicated as launcher.

          • http://twitter.com/windrush windrush

            Mine does not. You must be doing it wrong :)

        • jawman

          You’ve got to be kidding me. HW acceleration was always needed. Just sit down with any Android phone next to a 3 year old iPhone and the 3G is smoother hands down. I can’t even scroll through text messages, or even my list of apps as smooth as the 3G. This is especially noticeable when you get to the bottom of your app list, and it slows down to stop, you can clearly see it get jerky. Scrolling through the market, home screens, manage applications, etc., there are so many instances where the Android UI is no where near as smooth as it should be, and it’s ugly. I could make a huge list of examples showing this. I love Android just as much as the next guy, but I’m not willing to pretend that it is something it’s not just because it’s my favorite OS. Try to be more objective. It’s like the guy who bought the BlackBerry Storm and said he loves his phone and that it’s a great phone, when deep down he is pissed that he got fooled and bought a shitty phone and is now stuck with it. It’s called buyer’s remorse. Don’t apply this to Android, it will only make things worse. If Google sees people wanting something, we hope they’d deliver. But if they see people turning the blind eye, why would they bother? Also, it gets especially worse when multitasking. It might be okay and somewhat manageable if you’re just doing one thing, but when you’re multitasking, it can get pretty bad.

          And Android 3.0 is Honeycomb, which are tablets. Not phones. We need HW acceleration in phones. Supposedly, Ice Cream will deliver this, but I’ve been hearing that same BS since Eclair, then Froyo, then Gingerbread… I’ll believe it when I see it, but unfortunately, I really doubt it will ever come.

          • Paul Taylor

            No offence but are you sure there isn’t something wrong with your phone? The only time mine does anything like that is when the battery’s low, because I’ve configured SetCPU to underclock in that scenario. And mine’s a basic HTC Desire, not the latest dual core whizbang.

          • Dianne Hackborn

            The Nexus S can very easily do 60fps scrolling in standard application UIs without hardware acceleration. Current 1GHz processors can easily draw the screen multiple times at 60fps. (And again, window compositing has always been hardware accelerated.)

            Most jerkiness you see in the UI is actually due to other things going on — for example as you scroll through the manage apps list it loading and populating icons (and this code has been improved over the course of various platform releases to reduce this).

            I think you are also misinterpreting my comment. I am not saying the Android couldn’t be better here. I am saying that this common thinking of “hardware accelerated drawing” being the magical silver bullet is mistaken.

        • LeakedDave

          Lol he said Android 3.0 and hardware acceleration in the same light year.

          Honestly though I don’t doubt it. I blaim Tegra2.

      • LeakedDave

        Take the plunge ;). I went from hating Apple and calling them rip offs to loving their software when I actually got down and started trying them out. iOS is great. Not saying Android is bad though for all you haters. I develop for Android and will be rocking the GS2 at I/O when it rolls around. Probably stick to iPhone 5 mostly as it’s gonna be rocking that A5

        • wakkoman

          Yup. Most anti apple trolls have never used an iOS device for a significant amount of time. They feel Apple users are a cult, yet try to start their own cult by hating everything Apple and everyone who uses their products.

  • jawman

    Nicholos Percoco is absolutely right. Google needs to be on top of the market. I’m all for an open OS, but the market definitely needs to have strong enforcements. It’s kind of like driving on the highway. You can drive in pretty much any lane you want, whatever car you want, and can go any speed as long as it is within the parameters set (e.g. posted speed limit). If you ignore these rules, the police are there to catch you and ticket you. People confuse the market with the OS. An open source OS is great, but the market needs to be regulated very, very well. Just sitting back and waiting for something to happen is NOT the answer, as any successful business person knows, you must be proactive, not reactive. Granted, you won’t be able to stop everything before it happens, but Google definitely has to do better in being proactive.

    • LeakedDave

      They just want to catch up to the number of iOS apps as fast as possible and are lazy.

  • http://beesbuzz.biz/ fluffy

    Google’s response shows that they ONCE AGAIN do not understand customer service, developer support, or privacy/security concerns in emerging Internet markets.

    • http://www.ppsmil.com power point

      Once again, you prove that people jump at stories and panic when there’s absolutely no reason to. There are precisely 0 apps on the market that do this.

      There is also 0 reason to put in a username or password more than once if the app developer has designed their application well enough. That’s what the “SHARE WITH” command does, as with the “Account Manager”. Compare this to any other platform, and you *HAVE* to enter your username / password if the application wants to share, say, a high score on Facebook.

      • http://beesbuzz.biz/ fluffy

        Do you believe

        1) that Google knows categorically that no Market applications do this, when there’s no control to the API that makes it possible to detect if an application does this

        2) that there will never be, especially now that this hole has been publicized

        3) that Google’s response to this and other situations is completely reasonable and without fail?

        I love Android as a platform, but Google as a company has me quite upset at this point. I’m just glad that Android is open source and doesn’t actually require Google services anymore.

  • LeakedDave

    iOS! :P Jk but seriously

    • Brandon Golway

      dislike

      • LeakedDave

        At least I have the balls to like multiple OS’s :p

  • Brandon Golway

    I usually don’t worry about these “malware apps” that target android because most of them come from shady 3rd party markets, but this kind of scares me a little since it can kind of inject itself into legitimate apps from google’s market.

    • zach1919

      This is a highly sensationalized piece. Apps can’t inject themselves into other apps any more than they ever could. The “hacks” at recent defcons are really going downhill.

  • zach1919

    1) Everyone knows it’s possible to make an app that looks like another app.

    2) It’s ALWAYS been possible to launch your app from a Service. Many useful apps wouldn’t be possible without this.

    3) Apps have always been able to launch themselves over other apps. How do you think things like AppLocker work? Have you ever noticed that little animation when new apps launch? Yep, that’s what would tell you if you had some sort of malware launching over your bank app.

    4) Apps have always been able to consume Back key presses. This is how games present you with a nice little “Are you sure you want to quit?” menu instead of just exiting. They can’t do anything about Home key presses though, so it’s not like they lock you into them somehow.

    5) No one is going to write a popup advertising app. Obviously users would just instantly uninstall it. And the use case mentioned in the article where one developer could show a pop up ad when the user is in a competitors app makes ZERO sense. For the developer to pop up the ad, the user would already have to have installed his/her app. If the user already has it installed, why would they advertise for it?

    Also, I’m sorry Chris, but you really need to do a little research before posting things like this. An “Activity Service” isn’t a real thing. An Activity is a UI. A Service is a background worker. The two are opposites (UI’s are visible, background stuff isn’t). This is such a sensationalized piece that does has nothing to offer but more scaremongering. This new “vulnerability” is so obvious that I would guess most Android devs have experience with using it for entirely legitimate purposes.

  • http://www.ppsmil.com power point

    Uhm… so how is this different than any other OS? An application that’s installed on my desktop can quickly minimize and replace a browser window (or replace just the URL for that matter) asking for credentials…

    Also, the Percoco is a fucking idiot:
    “The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app” in response to “Switching between applications is a desired capability used by many applications to encourage rich interaction between applications”

    They’re saying the same thing? It’s a desired function that could be abused by malicious programs. You might as well put permissions for or ban drawing pixels on a screen, because I could maliciously assemble pixels into a login form for Facebook. Stop writing to files because malware could write junk into your files.

    “If you think you could avoid these apps by simply reading over the permissions page for a particular app, you would be mistaken.” This is a lie. There *IS* a permission to identify currently running programs called “RETRIEVE RUNNING APPLICATIONS”. This “exploit” needs to know which application is up on the screen in order for it to pop up over it, right?

    So if you see a program asking for that, avoid it if you’re paranoid. Someone would also notice that an app is constantly running in the background when it doesn’t need to, and will raise warning flags.

    Of course, you could simply ask for the developer of said suspicious app to implement the Android “Share To” command, avoiding needing to enter in a password at all.

    So yet again, a panicless panic.

    • http://www.ppsmil.com power point

      Oh, incidentally… Remember the annoying notification bar ads? If this “exploit” pops up on your screen, you know how fast people will uninstall the offending application? And yes, they’ll move so fast to identify and bitchslap the offending apps out of existence.

    • B2L

      Thank you! I thought everyone had gone crazy in this thread until I read this post. People are always going to have to deal with malware unless you use something like WebOS because it only has 10 users and nobody cares about them anyway.

      If you use a popular OS people are going to try and hack it and steal your info. If you’re not an idiot it’s pretty easy to see if you should install something beforehand, or you can even install an app like Lookout to protect yourself.

      Anyone who doesn’t know these basic things shouldn’t own a smartphone.

      • LuisG3

        applaud to excellent comment!

  • xmichaelx

    Am I the only Android user who doesn’t install random apps without having any idea what they do? This “problem” would never affect me, because I’m not dumb. (I don’t worry about getting the “Sexxie Asian B00bies” app viruses either.)