By 
Lookout Mobile Security was recently in the news when their application for Android was able to locate a stolen car after it was highjacked from its owner, but that isn’t the only sort of highjacking they are concerned with. During the course of developing their own mobile application and after observing common tactics used by malicious Android programs, they forwarded a huge piece of advice to the Android team, and Google’s crew responded accordingly.
Up until Android 2.3, the OS was vulnerable to touch-event highjacking. This was accomplished when a false UI was placed over an applications true interface to trick users into clicking on ads, make purchases, install malicious apps, wipe phone data, or grant unwanted permissions. An example would be an application that on the surface may look like, say, a game where the user taps a “Start” button, while in reality that is a false layer overtop of a checkbox altering system settings.
In Android 2.3, the team at Google has implemented certain functions that will prevent apps from being vulnerable to touch-event highjacking. This is accomplished by allowing a layer to be interacted with only when it is the topmost visible layer. Developers will still need to take steps to protect their applications and users, but it isn’t much more than a few lines of code. Good on Lookout for, well, looking out for all Android users, not just those using their mobile apps. For more tech-y details and some of the developer nitty gritty, see the source link below.
[via Lookout]
Very interesting. Thanks!
I think I will head to the market and go buy their app.
Wow, all those apps I installed, and I never even thought about a vulnerability like that. o__o
Good to see Google has our backs …
Those guys know what they are doing. I trust and use their apps
Hmm, I had heard about that theft, but this whole ‘tap-jacking’ thing is new to me. Thanks for the info phandroid.