Android's Hover feature is a data HOOVER

Mouse-over-on-mobile feature intentionally allows data-stealing overlay attacks

That took a while: Android's had Hover since Ice Cream, but boffins have taken until now to work out how to attack it.

Hover is a set of interface calls that let application designers imitate mouse-over behaviours people know from PCs, and it only needs to be implemented on a phone or tablet to be vulnerable - whether or not a particular app supports it.

The researchers, from ETH Zurich and the Sapienza University of Rome, figured out that “any Android application running with a common SYSTEM_ALERT_WINDOW permission” can ”record all touchscreen input into other applications”.

Their paper is here at Arxiv.

In other words, it's an overlay attack. Such things aren't new – The Register has reported on attacks that include overlay exploits in May, June and September of this year alone – but the researchers reckon their “Hoover” attack is more accurate.

Even worse, because SYSTEM_ALERT_WINDOW is a common permission, Hoover attackers don't need to phish the users, and it's transparent.

Did we mention it gets even worse? The obvious exploit of Hoover is to grab PINs and passwords, but the boffins who wrote the paper have the kind of devious mind you more easily imagine inhabiting an island fortress than a prim academia.

They note that a Hover-based attack can also watch what apps someone is using (and therefore could redirect them to malicious lookalike apps as updates); or could build a biometric profile of the user, to bypass biometric authentication.

So let's take a look at how it works.

Hover isn't much different from a touch-screen interface: it detects the user's finger or stylus as x-y coordinates, with suitable system calls to Hover events, and it interacts with the UI's View Objects building blocks.

If you can create a transparent overlay, it's easy to capture the user's interaction, but in most similar vulnerabilities the attacker has to trick the user into installing a malicious app.

That's where the SYSTEM_ALERT_WINDOW permission comes in. People routinely allow apps to use this permission, because it lets them get a popup when a new text message arrives – or a new Facebook notification.

In other words, users have been socially engineered into saying “yes” to notifications. The paper notes that on Google Play, “there are more than 600 apps with hundreds of millions of downloads each that require SYSTEM_ALERT_WINDOW to be installed”.

In Android, malware is blocked from observing other applications' clicks – but the researchers found that a malicious, invisible window raised by SYSTEM_ALERT_WINDOW can watch Hover events, and use those to infer the user's clicks.

The malicious app generates a fully-transparent alert window overlay which covers the entire screen. The overlay is placed by the system on top of any other window view, including that of the app that the user is using. Therefore, the malware, thanks to the overlay, can track the hover events.

However, the malicious view should go from active (catch all events) to passive (let them pass to the underneath app) in a “smart way” in time, so that the touch events go to the real app while the hovering coordinates are caught by the malware. The malware achieves this by creating and removing the malicious overlay appropriately, through the WindowManager APIs, in a way that it does not interfere with the user interaction.

In other words, the Hoover attack pops up its window long enough to catch a Hover event, “guesses” from Hover what the click is going to be, hides the overlay so the user can interact with their application, and raises it again to catch the next input.

A bit of machine learning was required to train the attack, after which the researchers claim accuracy up 79 per cent for finger interactions, and up to 98 per cent for stylus users.

The researchers note this isn't going to be easy to mitigate: Google will have to balance how to restrict Hover's permissions without crippling legitimate apps. ®

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading

Biting the hand that feeds IT © 1998–2022