What we see on our mobile phone screens is not always what we are actually operating. This has been demonstrated by a research team at TU Wien (Vienna, Austria), consisting of Philipp Beer, Sebastian Roth, Marco Squarcina, and Martina Lindorfer: on Android phones, an invisible app can be active in the foreground – and that is a potential security problem. Users then operate an app that they cannot see and can be tricked into performing unwanted actions, such as granting certain rights to a malicious app or even deleting data.
The research group is already in contact with the Android security team. The newly discovered security vulnerability will now be presented at the world's leading security conference, USENIX, in Seattle (USA).
Harmless game with nasty consequences
Several apps can be active on a smartphone at the same time. Normally, one of them is visible in the foreground, and the user interacts with it when they tap the screen. "However, apps can also launch other apps and use animations such as slow fade-ins or slide-ins," explains Philipp Beer from the Security and Privacy Group at TU Wien (Institute for Logic and Computation). "This is exactly what can be exploited."
A fraudulent app can launch another app without being noticed, but display it transparently. It is now in the foreground and can be controlled with a tap of the finger – but it remains invisible.
"We tried this out by creating a simple game where you collect points by tapping little bugs on the screen," says Philipp Beer. "But the game then opens another app, such as a browser. We can now place our bugs from the game wherever we want so that the exact position on the screen is tapped. You feel like you're still playing the bug game, but in reality you're now operating the newly launched app that you can't even see."
The research team had twenty test subjects try out the bug game, and they were indeed able to obtain various permissions unnoticed in this way – such as access to the smartphone's camera. "Theoretically, you could also use this method to launch a banking app or delete all the data on your mobile phone", says Beer.
No perpetrators so far
The team at TU Wien has thus proven that the attack works. But is it actually being used? "We examined around 100,000 apps from the Play Store and didn't find any that exploit this vulnerability," says Philipp Beer. "We therefore hope that the vulnerability has not yet done any real damage – but of course the problem needs to be fixed."
The team has already contacted the Android development team; technically, it would be possible to close the loophole. The manufacturers of Firefox and Google Chrome have also been contacted, both have already closed the loophole for their browsers. GrapheneOS, an Android-based operating system designed specifically to maximise security, has also already solved the problem.
"As a general rule, you should never install apps that don't appear to come from a trustworthy source," says Philipp Beer. "When the camera or microphone is accessed, this is often indicated by icons in the status bar, so you should pay attention to these."
If you want to be on the safe side, you can disable app animations altogether (in the settings under 'Accessibility,' 'Colour and motion').
