Potential Design Flaw in Android Could Allow Malware to Mimic Legitimate Apps

Discussion in 'Android News' started by dgstorm, Aug 8, 2011.

  1. dgstorm
    Offline

    dgstorm Editor in Chief Staff Member Premium Member

    Joined:
    Dec 30, 2010
    Messages:
    7,198
    Likes Received:
    1,349
    Trophy Points:
    113
    Location:
    Austin, TX
    [​IMG]

    Some researchers recently demonstrated what may be a design flaw in Android that would allow malware to mimic legitimate apps. Sean Schulte, SSL developer at Trustwave, and Nicholas Percoco, the senior vice president and head of SpiderLabs at Trustwave, revealed at a DefCon Hacking Convention, what they believe is a design flaw in Android. They indicated that the design flaw could be used by advertisers to bring annoying pop-up ads to phones, or even by criminals to steal data via phishing.

    Basically the exploitable flaw centers around the fact that Android allows a developer to override the standard for hitting the back buttons. Because of this, an app can be created that is able to steal the focus and keep you from being able to hit the back button to exit out. This is similar to some malware attacks on Windows based computers. They are calling it the "Focus Stealing Vulnerability", and they were able to demonstrate an app they created that did exactly what they described. Here's a quote from the CNET article with more details,
    The worst part about this potential vulnerability is that it could do more than just create a replacement pop-up ad; it could also detect when you are using a banking or email app, and create a legitimate looking overlay "phishing" for your credentials. Afterwards, the user would never even realize what happened. Supposedly,
    Google is looking into the issue, and for now, no malware infections for this exploit have been reported. In the meantime, the best thing you can do is to always be cautious about where you get your apps, and don't download anything that looks even remotely suspicious.

    Source: Android.net via PhoneArena and CNET
  2. Immolate
    Offline

    Immolate New Member

    Joined:
    Jul 17, 2010
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Central Florida
    Glad everyone waited until the hole is plugged before disseminating the information globally. Whew. Another bullet dodged.
  3. DroidXDoes4G
    Offline

    DroidXDoes4G New Member

    Joined:
    May 23, 2011
    Messages:
    948
    Likes Received:
    3
    Trophy Points:
    0
    Google can fix it. There google. :)

    Sent from my DROID3 using DroidForums
  4. chasehammer
    Offline

    chasehammer New Member

    Joined:
    Mar 21, 2011
    Messages:
    97
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Franklin, TN
    first thing that came to mind.

    "Hey guys i found this design flaw that can infect a whole lot of people if it gets out. Lets tell everyone."
  5. NoBloatware
    Offline

    NoBloatware New Member

    Joined:
    Jun 23, 2011
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    0
    So an app can show an ad when you press the back button? That's considered malware?

    As far as the app showing a fake login page, any app can do that now at any time. The problem is that when you press the back button you might actually think "oh, my bank account logged out. I better log in". This is a problem. If the stars align properly, a user could enter their password info.

    How can this be fixed? Disabling the ability to override the back button seems severe. But what else can be done? If an app has the ability to display itself in full screen, it can then mimic anything. A similar problem used to plague web browsers. The malware would mimic the URL bar and it would look like you were actually at your bank's web site when you weren't. While browsers could solve this by always showing the URL bar, there is no equivalent paradigm in Android. I could be looking at a screen that says "Bank Login" and there is no way for me to know which app is displaying that page. It will be interesting to see how/if Google fixes this.

    For now, when you press the back button you need to be sure of what you're looking at. Don't enter sensitive info without returning to the home screen and going to the app directly.
  6. OneTenderRebel
    Offline

    OneTenderRebel New Member

    Joined:
    Mar 31, 2010
    Messages:
    3,326
    Likes Received:
    63
    Trophy Points:
    0
    Location:
    Hampton Falls, NH
    I can tell you which phone OS this wouldn't happen to.............:icon_eek:


    But I am not trying to incite riots, haha
  7. chasehammer
    Offline

    chasehammer New Member

    Joined:
    Mar 21, 2011
    Messages:
    97
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Franklin, TN
    webOS? ;) ....
  8. OneTenderRebel
    Offline

    OneTenderRebel New Member

    Joined:
    Mar 31, 2010
    Messages:
    3,326
    Likes Received:
    63
    Trophy Points:
    0
    Location:
    Hampton Falls, NH
    haha exactly............
  9. GrillMouster
    Offline

    GrillMouster New Member

    Joined:
    Nov 23, 2009
    Messages:
    289
    Likes Received:
    0
    Trophy Points:
    0
    Nicely played, good sir.