Following Stagefright, another worrying Android vulnerability has been uncovered by researchers. The security flaw can be exploited by taking advantage of the operating system’s multitasking functionality, giving hackers access to every part of the device. “The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system,” Chuangang Ren, security researcher from Penn State University, warned.
The researchers from Penn State who discovered the Android Vulnerability presented a paper on it at the USENIX Security 15 conference in Washington DC last week. It explained:
Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implications of Android multitasking remain under-investigated.
With a systematic study of the complex task dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilising the task hijacking attack surface to implement UI spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities.
We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy.
The research team has notified Android about the vulnerability. Neither them nor Google – or Alphabet, as the parent company is now known – has commented on the findings of the paper.
UPDATE – 24th September, 2015:
Matt Penny from Google’s press office has issued the following statement:
“We appreciate this theoretical research as it makes Android’s security stronger. Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features. Based on our research, fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014, and fewer than 0.15% of devices that only install from Google Play had a PHA installed.”
Thank you The Register for providing us with this information.
Image courtesy of Hacoder.