Yet another Android app security bug: This time 'everything is affected'

Google says flap over user-interface spoofing is overstated


Yet another potentially serious security flaw has been revealed in Android.

This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month.

The latest security blunder opens the door to criminals who want to spy on device owners, steal login details, install ransomware, and so on, it is claimed.

We're told the vulnerability can be exploited to show a spoofed user interface, controlled by an attacker, when someone starts an app: the owner will not be aware that they are typing into another program masquerading as a legit application.

"The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system," warned Chuangang Ren, a security researcher from Penn State University.

A paper on the vulnerability [PDF] – presented at the USENIX Security 15 conference in Washington DC last week – explained:

Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implications of Android multitasking remain under-investigated.

With a systematic study of the complex task dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilising the task hijacking attack surface to implement UI spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities.

We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy.

The five researchers – Chuangang Ren and Peng Liu, both from the Pennsylvania State University; Yulong Zhang, Hui Xue, and Tao Wei, all from FireEye – have notified the Android team about the findings of their research. Their 16-page paper, Towards Discovering and Understanding Task Hijacking in Android, outlines the risk in greater depth, as well as suggesting possible mitigation techniques.

A quick overview of the vulnerability can be found in the video below.

Youtube Video

El Reg asked Google to comment, but we're yet to hear back from the IT giant. ®

Updated to add

A Google spokeswoman reckons the researchers have overstated the threat, and have failed to factor in protection mechanisms in place in Android. "We appreciate this theoretical research as it makes Android's security stronger," she said.

"Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features."

Bootnote

* Due to the recent rash of Android vulnerabilities, it has become clear that a new collective noun for such flaws is required. A "cyber" of flaws is one of several new terms currently being rigorously tested at Vulture Central. If you have any opinions on this or any other suggestions, please feel free to express them in the comment section.

Similar topics


Other stories you might like

  • Google shows off immersive maps, AR-flavored search, Pixel 7, and more
    Your essential de-hyped guide to what the Chocolate Factory teased at developer shindig

    Google IO Google I/O, the ad biz's annual developer conference, returned to the Shoreline Amphitheater in California's Mountain View on Wednesday, for the first time in three years. The gathering remained largely a remote event due to the persistence of COVID-19 though there were enough Googlers, partners, and assorted software developers in attendance to fill venue seats and punctuate important points with applause.

    Sundar Pichai, CEO of Google parent Alphabet, opened the keynote by sounding familiar themes. He leaned into the implied sentiment, "We're here to help," an increasingly iffy proposition in light of the many controversies facing the company.

    He said he wanted to explain how Google is advancing its mission in two ways, "by deepening our understanding of information so that we can turn it into knowledge and advancing the state of computing so that knowledge is easier to access no matter who or where you are."

    Continue reading
  • iOS, Android stores host more than 1.5 million 'abandoned' apps
    That's more than the total that are actively maintained, study claims

    A study has found more outdated apps in Apple's App Store and Google Play than actively updated ones. 

    Analytics biz Pixalate – the outfit behind the study, titled The Abandoned Mobile Apps Report – told The Register its figures appear "to support Apple's apparent desire to 'clean up' abandoned apps," despite the unpopularity of the announcement with developers. The iGiant last month threatened to wipe away software from its store that hasn't been updated for a significant period of time.

    The report consists of data from crawls of the Android and iOS app stores to look for what Pixalate classified as abandoned apps – those that have gone two or more years without an update. Between the two stores in the first quarter of 2022, Pixalate said it found more than 1.5 million abandoned apps, amounting to 33 percent of the more than five million apps it told The Register it examined. 

    Continue reading
  • Microsoft closes Windows LSA hole under active attack
    Plus many more flaws. And Adobe, Android, SAP join the bug-squashing frenzy

    Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That's seven critical bugs, 66 deemed important, and one ranked low severity.

    At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code.

    After April's astonishing 100-plus vulnerabilities, May's patching event seems tame by comparison. However, "this month makes up for it in severity and infrastructure headaches," Chris Hass, director of security at Automox, told The Register. "The big news is the critical vulnerabilities that need to be highlighted for immediate action."

    Continue reading
  • Engineer gets Windows 11 working on a Surface Duo
    So those hardware requirements for Microsoft's OS really are arbitrary

    Arch tinkerer Gustave Monce has demonstrated Windows 11 running on a first-generation Surface Duo.

    The Duo is famously an Android device but, fresh from showing that Windows 11 could be coaxed into running on a Lumia Windows Phone, Monce has worked his magic on Redmond's first effort at a foldable handset.

    While Monce's work on the Lumia 950XL was more of an intellectual exercise, getting both screens working on the Duo is undeniably impressive. His adventures have been well documented on Twitter, with the engineer observing: "I think there might be a performance ~~gap~~ ocean between this and the Lumia 950 XL. Crazy what 4 years did in terms of SoC performance. Oh and thermals are very good."

    Continue reading

Biting the hand that feeds IT © 1998–2022