Skip to main content

Android clickjacking attacks possible from Google Play apps

Experts say Google's balancing act between security and usability on Android has left the door open for clickjacking attacks by malicious actors.

The threat of clickjacking attacks on Android were made "significantly more difficult" by Google with Android 6.0 Marshmallow, but new research from Check Point Software Technologies, based in Waltham Mass., shows that Google didn't completely remediate the issue.

The problem stems from a feature of Android that allows apps to write on top of other apps, which can lead to a number of abuses, according to Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender.

"Apps that abuse the screen overlay function could trick the user into giving away sensitive information -- passwords, credentials, etc. -- by overlaying phishing screens on top of legitimate applications," Arsene told SearchSecurity. "If convincing enough, those phishing screens could be leveraged to get users to uninstall applications, remove security software, install other malicious applications, or even give away banking information, as what they would see on the screen would be manipulated by the malicious app."

The Check Point Mobile Research Team noted that Google did introduce a new permission model in Android 6.0 which made it more difficult to exploit this issue, but only for apps installed outside of the Google Play Store.

"Since Google understood the problematic nature of this permission, and the apparent risks for user privacy it created the distinct process mentioned above to approve it. However, this soon caused problems, as this permission is also used by legitimate apps, such as Facebook, which requires it for its Messenger chat heads feature," Check Point wrote in a blog post. "As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store. This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission."

Yair Amit, CTO at Skycure, a mobile security company headquartered in Palo Alto, Calif., called this "a classical trade-off between usability and security."

"Google's policy to allow easier ways to use the screen overlay makes the experience of downloading and using apps that come from Google Play more streamlined, but since malware can enter into Google Play, this creates a security exposure for users," Amit told SearchSecurity. However, Amit said the Google Play Store uses "strong app analysis technology, which combines static and dynamic analysis. While it blocks, the wide variety of malware campaigns that have been uncovered in the past few years illustrates that Google's great efforts need to be supplemented by security solutions."

Arsene said using this permission model does allow Google stricter control but doesn't eliminate the potential for clickjacking attacks, especially for those without access to the Google Play Store.

"Google's Bouncer is not immune to falsely tagging malicious apps as legitimate. There have been numerous instances in the past when malicious applications made their way in Google Play and eventually on user devices," Arsene said. "Plus, there are plenty of third-party app marketplaces out there from where users can still download and install potentially malicious apps. And not because they're necessarily bent on using those marketplaces, but because Google Play may be restricted in their respective region and third-party marketplaces are their only choice."

Check Point reached out to Google regarding clickjacking attack issues from these permissions and Google said it was working on the issue and would fix the issue in Android O. Android O will likely be shown off in beta form next week at the Google I/O conference, but the full release traditionally doesn't begin until late fall.

Matthew Gardiner, cybersecurity strategist at Mimecast, said when to push a patch can be a difficult decision.

"This is a typical challenge in the vulnerability patching world for application and OS developers. Patching things quickly can risk the stability of their system and patching things slowly risks further exploitation of the vulnerability by cybercriminals," Gardiner told SearchSecurity. "It's a tough call all around, but something that most developer teams wrestle with every day."

Arsene worried about those who may never get the Android O update, but said there were other ways to protect against clickjacking attacks.

"Having a fix only available for Android O does raise security concerns, as a large number of Android users will be left vulnerable throughout their entire lifetime," Arsene said. "However, having security software installed that's able to spot malicious applications is a great way of minimizing the risk of accidentally installing malicious apps that leverage the screen overlay function, even if these apps are downloaded from third-party marketplaces."


Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points - Clearnet search engine for Tor Hidden Services (allows you

download office 2021 and activate

get office from here open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs / cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - =====================================================================================&