Yet another Android app security bug: This time 'everything is affected'
Google says flap over user-interface spoofing is overstated
Yet another potentially serious security flaw has been revealed in Android.
This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month.
The latest security blunder opens the door to criminals who want to spy on device owners, steal login details, install ransomware, and so on, it is claimed.
We're told the vulnerability can be exploited to show a spoofed user interface, controlled by an attacker, when someone starts an app: the owner will not be aware that they are typing into another program masquerading as a legit application.
"The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system," warned Chuangang Ren, a security researcher from Penn State University.
A paper on the vulnerability [PDF] – presented at the USENIX Security 15 conference in Washington DC last week – explained:
Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implications of Android multitasking remain under-investigated.
With a systematic study of the complex task dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilising the task hijacking attack surface to implement UI spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities.
We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy.
The five researchers – Chuangang Ren and Peng Liu, both from the Pennsylvania State University; Yulong Zhang, Hui Xue, and Tao Wei, all from FireEye – have notified the Android team about the findings of their research. Their 16-page paper, Towards Discovering and Understanding Task Hijacking in Android, outlines the risk in greater depth, as well as suggesting possible mitigation techniques.
A quick overview of the vulnerability can be found in the video below.
El Reg asked Google to comment, but we're yet to hear back from the IT giant. ®
Updated to add
A Google spokeswoman reckons the researchers have overstated the threat, and have failed to factor in protection mechanisms in place in Android. "We appreciate this theoretical research as it makes Android's security stronger," she said.
"Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features."
* Due to the recent rash of Android vulnerabilities, it has become clear that a new collective noun for such flaws is required. A "cyber" of flaws is one of several new terms currently being rigorously tested at Vulture Central. If you have any opinions on this or any other suggestions, please feel free to express them in the comment section.