Android allows applications to voluntarily come to foreground or to become active while user is using another application. However, because Android’s SDK allows apps to be pushed to the foreground, Android allows users to dismiss and override this behaviour be hitting the back button. This Android feature is used by many security applications for application control or for locking the phone.
Hacker can target this Android feature as vulnerability by creating fraud application pop-ups that replace the bank app or social networking app standard log-in screen and collect user information. The screen would blip so fast that users wouldn’t even notice that the original log-in has been replaced by this fake pop-up.
Hackers at the DefCon conference exposed this design flaw in the Android operating system that could be exploited by criminals to phish for customer data or introduce pop-up ads to smart-phones.
Normal user cannot identify such applications from “permissions required” displayed at time of installation as it is legitimate function for application.
According to Google, they haven’t seen any apps maliciously using this technique on Android Market and they will remove such apps if found.
User has to be careful as attackers could post apps much faster than Google could identify and remove them from the Market.
Leave a reply