Vulnerability in Android multitasking function lets hackers spoof users, steal information and launch DoS attacks
Security researchers from Pennsylvania State University in collaboration with security firm, FireEye have discovered a critical vulnerability in Android’s multitasking function. Chuangang Ren and Peng Liu, both from the Pennsylvania State University and Yulong Zhang, Hui Xue, Tao Wei from FireEye discovered this vulnerability which lets hackers spoof the Android owner, steal information and launch app Denial of Service attacks.
Security researcher from Pennsylvania State University, Ren stated that “The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system.”
The researchers have published a paper on the vulnerability called Towards Discovering and Understanding Task Hijacking in Android, which was presented at the USENIX Security 15 conference in Washington DC last week.
Video demonstrating denial of service
Video demonstrating user spoofing
The paper states,
“We find that the Android task management mechanism is plagued by severe security risks. When abused, these convenient multitasking features can backfire and trigger a wide spectrum of task hijacking attacks. For instance, whenever the user launches an app, the attacker can condition the system to display to the user a spoofed UI under attacker’s control instead of the real UI from the original app, without user’s awareness.”
“All apps on the user’s device are vulnerable, including the privileged system apps. In another attack, the malware can be crafted as one type of ransomware, which can effectively “lock” the tasks that any apps belong to on the device (including system apps or packages like “Settings” or “Package Installer”), i.e. restricting user access to the app UIs and thus disabling the functionality of the target apps; and there is no easy way for a normal user to remove the ransomware from the system. Moreover, Android multitasking features can also be abused to create a number of other attacks, such as phishing and spyware. These attacks can lead to real harms, such as sensitive information stolen, denial-of-service of the device, and user privacy infringement, etc.”
The Android multitasking function vulnerability affects all Android smartphone versions and leaves almost 1.1 billion+ smartphones vulnerable to such attacks. This vulnerability comes on the back of the three critical vulnerabilities found in Android disclosed during the period of DefCon and Black Hat 2015. The first one called Stagefright was discovered by Zimperium Labs, and lets hackers take over the Android smartphone by sending a specially crafted multimedia or Google Hangout message.
Trend MicroLabs discovered the Silent Attack vulnerability, again using the Android Mediaserver flaw to render the smartphone dead. Two days earlier, they discovered another Android Mediaserver vulnerability which let hackers install malware by sending a specially crafted multimedia message.
Google has been struggling to patch the above vulnerabilities and issued a half cooked patch which itself had some flaws.
The security researchers from Pennsylvania State University and FireEye have notified Google and Android security team.
We reached out to Google for comments on this vulnerability and they emailed us stating that,
We appreciate this theoretical research as it makes Android’s security stronger. Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features. Based on our research, fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014, and fewer than 0.15% of devices that only install from Google Play had a PHA installed.