Android zero-day opens phones up to drive-by-downloads

News by Doug Drinkwater

A new zero-day flaw affecting all versions of Google's Android operating system could be exploited by hackers looking to steal data or take control of the mobile device.

In a blog post published in February but which was updated with a proof-of-concept attack just last week, French network security firm NES Conseil detailed that the unpatched flaw could allow for an attacker to launch an attack known as ‘touch jacking'.

Touch jacking is similar to the old ‘click jacking' attacks on browsers earlier on in the 2000s, where one iFrame would be laid on top of the other, with the lower layer unseen to the user and able to be used discretely to carry out malicious activity.

This latest flaw owes to a few core elements of Android, such as the "android.permission.SYSTEM_ALERT_WINDOW"  authorisation system which can be found in all versions of the Android developer API as well as the last release of the Google Play store. Numerous screen windows (WindowManager.LayoutParams.TYPE_SYSTEM_ALERT) can be created from this permission to notify some events to the user, such as warning about low battery level, for example.

“By combining this functionality with handling event methods, we will be able to drive the users to another application download, without them being aware of it,” said the researchers in the blog post, adding that events carried out on the top of the screen could be “communicated to the underlying instrument window.”

In the proof-of-concept video, researchers showed how, on downloading an application from Google Play, a hacker could potentially remotely connect their PC to the phone to steal contacts and messages. Other experts told how, for example, hackers could produce a legitimate gaming app with the in-built capability for a second unseen app to be used for installing malware or conducting expensive messaging scams.

For the proof-of-concept video, researchers tested with Nexus 4 on Android under 4.3, Android 4.4, Nexus 5 under Android 4.4

Grayson Milbourne, the security intelligence director for internet security company Webroot, told that the attack, while interesting, wouldn't be widespread.

“This is a rather interesting attack technique. The basis for the attack is to trick a user into installing an additional app without their consent or knowledge. The attack is then performed by using a few native Android APIs to control touch input in what is accurately called, touch-jacking. Similar to click-jacking, where the link you click on is actually a redirect to another link, touch-jacking does a similar thing by overlaying a transparent image on an app. The end result is that a user thinks they've clicked on an accept button to agree to the apps usage when in fact they just downloaded and installed a new app.”

He added: “There are a few caveats to this however: First, the target user needs to install an app which takes advantage of this functionality, which would be a malicious app in the first place.

“Second, the option (on by default) to only allow app installations from trusted markets would alert the user if the second app download is not on Google Play.

“However, even if the new malicious payload is on Google Play, there is a visual indicator that a new app is being downloaded which is even evident in the demonstrating YouTube video of the attack. “While I think this is a very clever technique, I don't believe it is very widespread.”

F-Secure security adviser Sean Sullivan told SC that this was an ‘interesting' attack albeit one facilitated by Android asking for all needed permissions up front.

“The “touch-jacking” is a trick that allows the attacker to stack dialog messages on top of one another and to pass a tap up top to a dialog down below. So the user will see a “good” permission prompt or even just some notification, and when they tap to clear away the notification… the tap will be passed to the “evil” permission request. 

“More and more I like the iOS approach of asking me for access when the app wants to actually use the feature. Skype for iOS asked for microphone access the first time I launched it (naturally) but it didn't ask for photo access until I later wanted to attach one in a conversation.”

Mike McLaughlin, technical team lead and senior penetration tester at First Base Technologies, further described how these actions could be cascaded down to a second unknown app, which could be doing everything from browsing on Google Chrome to downloading new apps from Google Play. However, he said that there was no obvious bug to fix, although he noted how Google could potentially improve Google Bouncer to look out for this kind of activity.

“This is inherently down to how Android works and apps interact with each other so there's no obvious patch.”

Google didn't respond to our request for comment at the time of writing.

Update: Malwarebytes' mobile threats research team said of the flaw: "This exploit is using functions from class WindowManager.LayoutParams to hide Malware. 

"The user unknowingly accepts an .APK install because the permissions acceptance page is being overlaid with a fake page - so you may think you just clicked "Play Now", when you've actually agreed to downloading / installing another .APK. The user has no idea they've just accepted the terms to install an app with a collection of permissions they otherwise wouldn't have agreed to installing.?"

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews