Mega Security Flaw Discovered in Android: Beware of Invisible Apps

A security flaw in Android has been discovered by a research team from TU Wien. According to them, a fraudulent app can be launched by exploiting transition animations and can trick a smartphone user into granting the application certain permissions through "tapjacking." The malicious app could then, for example, launch a banking app, turn on the camera or microphone, or delete data. The team is already in contact with security teams, TU Wien reported.

Invisible App Enables Permission Theft

On smartphones or tablets, multiple apps can be active simultaneously. Interaction usually occurs with the application visible in the foreground. However, apps can also launch other apps. "To ensure the user doesn't notice, the malicious app uses animations, such as those with long duration and high transparency," explained Philipp Beer from the Security and Privacy Group at the Technical University (TU) Wien to the APA.

"This animation then makes, for example, a browser app or a permission setting completely invisible," said Beer. With a tap, the now foreground invisible app, such as a browser, is controlled. Such an attack, called a "TapTrap," "can be used by a malicious app to secretly bypass Android's permission system and gain access to sensitive data or perform harmful actions, such as deleting data without the user's consent," the computer scientists wrote in their paper, which they will present in mid-August at the USENIX security conference in Seattle (USA).

Instead of Game, Invisible App is Operated

Beer and his colleagues Marco Squarcina, Sebastian Roth, and Martina Lindorfer tested such an attack with the simple game "KillTheBugs." In this game, points are collected by tapping small bugs on the screen. However, the game secretly opens another app, such as a browser, through an animation. "We can now place our bugs from the game exactly where we want on the screen. It feels like you're still playing the bug game, but in reality, you're now operating the newly launched app that you can't even see," said the computer scientist.

In tests with 20 participants, Beer's team was indeed able to obtain various permissions unnoticed, such as access to the smartphone's camera. "Theoretically, one could also launch a banking app this way, or even delete all data on the phone," said the computer scientist.

No Misuse Detected So Far

The research team examined around 100,000 apps from the Play Store and did not find any application exploiting this vulnerability. The computer scientists hope that no real damage has been done so far - "but of course the problem needs to be fixed," said Beer. Because three-quarters of the apps are vulnerable to "TapTrap" attacks.

Various development and security teams were already made aware of the possibility of a "TapTrap" attack last year, and those of the browsers "Firefox" and "Google Chrome" have already closed the gap. GrapheneOS, an Android-based operating system, has also solved the problem.

Disable App Animations

The computer scientists advise never installing apps whose origin does not appear trustworthy. Access to the camera or microphone is often also visible through icons in the status bar. You can be completely sure by disabling app animations altogether. This is possible in the settings under "Accessibility," "Color and Motion."

Here is the research team's website on the "TapTrap" attack with a demonstration video.

(APA/Red)

This article has been automatically translated, read the original article here.