Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Android's Hover feature is a data HOOVER

Mouse-over-on-mobile feature intentionally allows data-stealing overlay attacks

That took a while: Android's had Hover since Ice Cream, but boffins have taken until now to work out how to attack it.

Hover is a set of interface calls that let application designers imitate mouse-over behaviours people know from PCs, and it only needs to be implemented on a phone or tablet to be vulnerable - whether or not a particular app supports it.

The researchers, from ETH Zurich and the Sapienza University of Rome, figured out that “any Android application running with a common SYSTEM_ALERT_WINDOW permission” can ”record all touchscreen input into other applications”.

Their paper is here at Arxiv.

In other words, it's an overlay attack. Such things aren't new – The Register has reported on attacks that include overlay exploits in May, June and September of this year alone – but the researchers reckon their “Hoover” attack is more accurate.

Even worse, because SYSTEM_ALERT_WINDOW is a common permission, Hoover attackers don't need to phish the users, and it's transparent.

Did we mention it gets even worse? The obvious exploit of Hoover is to grab PINs and passwords, but the boffins who wrote the paper have the kind of devious mind you more easily imagine inhabiting an island fortress than a prim academia.

They note that a Hover-based attack can also watch what apps someone is using (and therefore could redirect them to malicious lookalike apps as updates); or could build a biometric profile of the user, to bypass biometric authentication.

So let's take a look at how it works.

Hover isn't much different from a touch-screen interface: it detects the user's finger or stylus as x-y coordinates, with suitable system calls to Hover events, and it interacts with the UI's View Objects building blocks.

If you can create a transparent overlay, it's easy to capture the user's interaction, but in most similar vulnerabilities the attacker has to trick the user into installing a malicious app.

That's where the SYSTEM_ALERT_WINDOW permission comes in. People routinely allow apps to use this permission, because it lets them get a popup when a new text message arrives – or a new Facebook notification.

In other words, users have been socially engineered into saying “yes” to notifications. The paper notes that on Google Play, “there are more than 600 apps with hundreds of millions of downloads each that require SYSTEM_ALERT_WINDOW to be installed”.

In Android, malware is blocked from observing other applications' clicks – but the researchers found that a malicious, invisible window raised by SYSTEM_ALERT_WINDOW can watch Hover events, and use those to infer the user's clicks.

The malicious app generates a fully-transparent alert window overlay which covers the entire screen. The overlay is placed by the system on top of any other window view, including that of the app that the user is using. Therefore, the malware, thanks to the overlay, can track the hover events.

However, the malicious view should go from active (catch all events) to passive (let them pass to the underneath app) in a “smart way” in time, so that the touch events go to the real app while the hovering coordinates are caught by the malware. The malware achieves this by creating and removing the malicious overlay appropriately, through the WindowManager APIs, in a way that it does not interfere with the user interaction.

In other words, the Hoover attack pops up its window long enough to catch a Hover event, “guesses” from Hover what the click is going to be, hides the overlay so the user can interact with their application, and raises it again to catch the next input.

A bit of machine learning was required to train the attack, after which the researchers claim accuracy up 79 per cent for finger interactions, and up to 98 per cent for stylus users.

The researchers note this isn't going to be easy to mitigate: Google will have to balance how to restrict Hover's permissions without crippling legitimate apps. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like