Android Flaw Behind Phishing and Pop-ups Exposed
Researchers have found a flaw in Android, which can be exploited for stealing data via phishing or for sending irritating pop up adverts.
With the flaw, innocuous apps can be created which can make fake login pages for banks and you could take it for genuine only to enter your details in a phishing application.
“Android allows you to override the standard for (hitting) the back buttons," Sean Schulte, Secure Sockets Layer developer at Trustwave said.
"Because of that, the app is able to steal the focus and you're not able to hit the back button to exit out," Nicholas Perocco, senior vice president and head of SpiderLabs at Trustwave said.
The researchers have created a proof-of-concept tool that is a game but also triggers fake display for Facebook, Amazon, Google Voice and the Google e-mail client.
The tool installs itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots, Percoco said.
"Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven't seen any apps maliciously using this technique on Android Market and we will remove any apps that do this," Google told Cnet.
At present, when users are viewing one app and another app needs to communicate with the user it sends an alert on the notification bar.
© Copyright IBTimes 2024. All rights reserved.