You hated them on your PC and now those annoying pop-up ads and phishing attempts could find their way into an Android device near you. This year at Defcon 19 (a hacking conference held every year in Las Vegas) a couple of researchers managed to find a vulnerability in Android that could allow for apps in the Android Market to steal a users data via phishing or by be used by advertisers to bring the most annoying idea of the 21st century, pop-up ads.
Apparently, it’s possible for someone to create an app that will display a fake bank app log-in page while the user is using a legitimate banking app. Currently, apps that want to communicate with a user while a different apps is being used can only push an alert to the notification bar. But in the Android Software Development Kit (SDK) there is an application programming interface that allows for an app to be pushed into the foreground while another is being used.
The guys over at Trustwave have named this issue as Focus Stealing Vulnerability. Sean Schulte, an SSL developer at Trustwave explained how, “Android allows you to override the standard for (hitting) the back buttons.” Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave further explained that, “Because of that, the app is able to steal the focus and you’re not able to hit the back button to exit out.”
To further expose this issue, the researchers even created a proof-of-concept tool that is a game but also triggers fake displays for Facebook, Amazon, Google Voice and Gmail. They demoed the tool by showing a user opening up a legitimate app and then almost instantaneously, a “fake” login screen for Facebook appears. Percoco further explains, “With this design flaw, game or app developers can create targeted pop-up ads. The ads could be merely annoying, like most pop-ups are, but they could also be targeted to pop up an ad when a competitor’s app is being used.”
If you think you could avoid these apps by simply reading over the permissions page for a particular app, you would be mistaken. This kind of pop-up functionality is found in many legitimate apps and is known as an Activity Service.
Google has addressed this issue by stating the following,
“Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven’t seen any apps maliciously using this technique on Android Market and we will remove any apps that do.”
Nicholos Percoco responded by saying,
“Application switching is not the issue. The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app without the user giving it permission to do so. We also don’t see how they could determine the difference between a malicious app or a legitimate one since they would both look almost identical until a user reports it to them as malicious. The ‘wait until an app is reported bad before removing’ stance is dangerous and will likely prove out to be a fruitless effort as attackers could post apps much faster than Google could identify and remove them from the Market.”
I will now turn this to our readers. How does the potential of pop-up ads and phishing scams coming out of the Android Market sound to you? I’m not so sure Google’s statement is enough peace for me. Do you feel like Google needs to do more to address and further prevent this exposed “Android design flaw?”