Researchers question Android push notifications design
Newly discovered 'design flaw' could enable rogue app developers to create fake logins and steal passwords.
Security researchers claim to have found a way for malware developers to target Android phones with phishing and pop-up scams using its push' alert feature for apps.
The SpiderLabs advanced security team at Trustwave said the ability of Google's mobile operating system (OS) to push one application to the front of active processes to deliver notifications could be exploited by cyber criminals.
A counterfeit mobile banking app could, for instance, push a fake login page to a user in order to steal username and password details in a phishing exploit.
Or, the researchers suggested, it could more simply but no less intrusively be used to push pop-up adverts onto a user's screen every time they tried to use an affected app. Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave said that, because of the push nature of Android notifications, users were more likely to mistakenly trust them.
Percoco and Trustwave SSL developer Sean Schulte revealed their findings by demonstrating a proof of concept targeting Facebook, Amazon and Google passwords. Google has reportedly responded by saying that it did not regard the design feature as a flaw at all.
"Switching between applications is a desired capability used by many applications to encourage rich interaction between applications," it said in a statement sent to IT Pro.
The software giant also said it had not encountered any examples of the feature being exploited maliciously but that, if it did, it would remove the offending apps from the Android Market.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Percoco and Schulte countered during their DefCon hacking conference presentation that waiting to remove an app using this feature maliciously after it has been reported was "dangerous".
Meanwhile, a security expert recently predicted five per cent of all Android and Apple iPhones will be infected with malware in 2012.
A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.
Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.