Android Bug – This time Everything is effected!

Since I wrote my posts on Stagefright and CVE-2015-3842 vulnerability wihtin Android yet another potentially very serious security flaw has been revealed in the Android core. This time the problem is a bit deep rooted in the core of the operating system and involves the mobile operating system’s multitasking feature i.e. its ability to run more than one app at the same time. As per the researcher’s claims this vulnerability can be exploited to show user a spoofed interface controlled by an attacker when the user launches an app. The user would not be aware that the app she is running is a duplicate or spoofed app. This potentially gives the hackers the ability to spy on phone users, steal login credentials, install malware and much more. The following is a quote from the security paper the researchers published. The full submission is here[PDF]

Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implications of Android multitasking remain under-investigated.

With a systematic study of the complex task dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilising the task hijacking attack surface to implement UI spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities.

We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy.

 

 

Google’s reaction

As per The Register – A Google spokeswoman reckons that the researchers have overstated the threat and have failed to factor in protection mechanisms in place in Android.

Leave a Comment

Your email address will not be published.