According to a Research by Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave, DefCon, a design flaw in Android, can be used by criminals to steal data via phishing or can be applied by advertisers to bring pop-up ads to phones, annoying users.
Sean Shulte, SSL developer at Trustwave, and Nicholas Percoco, the senior vice president and head of SpiderLabs at Trustwave, revealed at DefCon what they said was a design flaw in Android.
For the purpose, developers may develop fake apps, appearing innocuous but can display a fake bank app log-in page, e.g. when the user is using the legitimate bank app.
Currently, apps, wanting to communicate with the user while a different app is being applied and used, just appears as an alert to the notification bar on the top of the screen but there is an application programming interface in Android’s Software Development Kit that can be used to push a particular app to the foreground.
Currently, Android allows users to override the standard for the back buttons but because of that the app may steal the focus and you may not be able to hit the back button to exit out; a phenomenon named by the Researcher as Focus Stealing Vulnerability.
To prove their findings, researchers created a proof-of-concept tool which is a game which triggers fake displays for Facebook, Amazon, Google Voice, and the Google e-mail client. Then it instals itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots.
In a demonstration, when a user opens up the app and see the log-in screen for Facebook, there appears a quick blip, hardly noticed by many users then fake screen completely replaces the legitimate one, leaving no reason for the users to notice anything out of place.
With this design flaw, game or app developers can create annoying targeted pop-up ads, but they could be used to target a competitor’s app. So the ads fighting with each other on the screen are possible now.
According to Percoco, when Google was approached by the researchers, presence of an issue was acknowledged with the message that company was trying to figure out how to address it.