A new vulnerability is identified in the Android system by EURECOM researchers
Researchers in security mainly try to first identify vulnerabilities and bugs in operating systems and craft attacks, by being in the shoes of the attacker, since “Defense is the art of attacking”. The next step is to propose remedies to fix these bugs.
Let’s follow EURECOM’s professor Simone Aonzo, an expert in mobile system security and malware analysis on his journey hunting malware that could be a potential threat to systems and users.
Q: Could you please talk about the new vulnerabilities that you recently identified in the Android system, and what is the potential impact on the users?
SA: This is not the first time that collaborating with the University of Genova has led to significant findings in this research field. Back in 2018, when I was a Ph.D. student at the University of Genova, I started working with Yanick Fratantonio and we identified a vulnerability in the password managers. So, by exploiting two modern Android features, we were able to craft a phishing attack to exfiltrate the credentials of the users from the password managers. Today, we have identified three vulnerabilities. One of them is based on an old feature of Linux (Android is based on the Linux kernel). In a recent paper we published, we combined all three vulnerabilities, which are not related to each other, to help us notice when an application is starting and craft a new very powerful phishing attack.
This phishing attack works as follows: when you open an app, another malicious app (identical to the original) pops up on top of it, and you are likely going to fall into this trap and give up personal information. This can be devastating because it is very difficult for the user to understand that he is a target of this attack.
We also proposed the full chain of remediation to finally defeat this attack, already communicated to Google; the ball is in their court now. So, if Google is going to push all the updates, all our suggestions, that will patch all the vulnerabilities we found, then Android will be more secure, and this attack will no longer be valid. The good thing is that luckily, we found this before some bad guys. In fact, we also have checked that modern malware is not using this trick.
Q: Is there a protocol you must follow when identifying such vulnerabilities, and has Google already fixed them?
A: There is a bug tracker for Android, which is not public. So, we wrote to Google about the three vulnerabilities we found. The result was that two of them were acknowledged as ‘bugs of moderate severity’, and we received a small monetary reward for them. Regarding the third one, Google said that they were already aware of this vulnerability, but it was not public. So, all three of them were confirmed, and after that, we had to wait 90 days before publicly publishing them, according to the protocol. We waited for more than one year, therefore, we could legally disclose these vulnerabilities.
The big issue is that these three bugs are not related to each other, they look like three different things, but if you combine them together you have this very powerful phishing attack. In fact, what we did at the end was to also write in the issue tracker that: we combined these bugs and managed to craft this attack (we also attached the pdf with our article). So, despite Google being aware of everything, we just received a “thank you for sharing”.
At the moment, these bugs have not been fixed yet. After their confirmation, we have been checking the release notes every time Android releases a new version, to see if they are fixing, or implementing something related to this, but we have still found nothing. Therefore, it is still an open problem that must be fixed, but we have had no official confirmation so far. I do not want to defend Google, but I understand how it is to work in such a big company. The point is that they have a gazillion of reports daily, and therefore it is very difficult to understand if something is really important or not.
Q. Are all applications vulnerable to this phishing attack, even critical ones like bank apps?
SA: What we show in this paper is that all Android apps regardless of the device or the system version are vulnerable. So, this is not a vulnerability of a single device, this is something that is going to blow up the whole Android ecosystem. Of course, bank apps are the preferred target of this kind of attack, this is the point! The dream of every Android malware developer is to be able to know precisely when a user starts an app. If you think about it, if I am a banking malware and I know when you are starting your app, I immediately put my phishing version on top of it! This type of attack falls under the umbrella of side-channel attacks. Android developers have put a lot of effort to limit this type of attack and had achieved a very good result so far.
Q. Can the user do something to avoid this attack?
SA: My only suggestion to users is to check the list of open apps before entering credentials, to see if the last one is suspect. For example, you are using the Facebook app, but every time you use it you do not have to put your credentials. Suddenly, when you click to open the app Facebook is prompting the credentials. Then, the only thing you can do is to check the list of all opened apps, where actually you can see that there is another malicious app open “on top” of Facebook. Generally, it is very difficult to prevent this type of attack. It is important to rely on researchers and ethical hackers that share their findings with the community and do not sell this knowledge to dark markets. Luckily, this time that was the case.