Android Design Flaw Allows Pop-Up Ads, Phishing

Hackers at the DefCon conference exposed a design flaw in the Android operating system that could be exploited by criminals to phish for customer data or introduce pop-up ads to smarrphones. According to CNET, if the flaw is exploited by a hacker, users who open a legitimate bank app would be greeted by a fake pop-up that would display a fake log-in page that would send the user’s username and password to a foreign server when entered, exposing users to fraud and phishing even when trying to open a legitimate app.

According to Nicholas Percoco of SpiderLabs at Trustwave, the flaw is being called the Focus Stealing Vulnerability. Essentially what happens is that Android allows apps to communicate with users while another app is being run in the foreground to push a notification to the top bar of the screen. However, because Android’s SDK allows apps to be pushed to the foreground, Android allows users to dismiss and override this behavior be hitting the back button. With the pop-up, the faulty app can now steal a user’s focus by preventing a user from exiting out by hitting the back button.

Malicious developers can target this vulnerability by creating faulty pop-ups that replace the standard log-in screen and collect user information that way. In a proof-of-concept demonstration, a fake Facebook was shown where the malicious code is embeedded within the legitimate app and comes to play when a user launches the app. In this case, if Facebook is launched, the log-in screen would be replaced by the fake pop-up log-in, and the screen would blip so fast that users wouldn’t even notice that the original log-in has been replaced by this fake pop-up.

CNET reports, “The functionality would not raise any red flags in the permissions displayed when the user downloads the app because it is a legitimate function for apps to check the phone state in what is called the Activity Service, according to Schulte.” Since CNET had published this vulnerability, Google had responded with the following statement:

Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven’t seen any apps maliciously using this technique on Android Market and we will remove any apps that do.

However, according to Percoco, it’s not app switching that’s the problem. “The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app without the user giving it permission to do so. We also don’t see how they could determine the difference between a malicious app or a legitimate one since they would both look almost identical until a user reports it to them as malicious. The ‘wait until an app is reported bad before removing’ stance is dangerous and will likely prove out to be a fruitless effort as attackers could post apps much faster than Google could identify and remove them from the Market.””