14 DAY TRIAL // Security researchers have demonstrated a new attack method against Android users which is hard to detect because it abuses legit functionality.
The attack leverages a feature which allows applications to steal the focus. For example, imagine using the browser and suddenly a Facebook login screen appearing.
However, instead of being generated by the Facebook app, this would be a fake screen pushed into focus by a rogue service running on the system.
According to Sean Schulte and Nicholas Percoco, the two security researchers from Trustwave who presented the attack at DEFCON, the attack is even more dangerous because Android also allows the back button to be disabled. This makes it harder for users to escape the rogue screen.
It's true that a rogue app would need to be downloaded and installed in the first place, but spotting it wouldn't be easy. Attaching trojans to legit apps has become a common way of distributing Android malware.
However, unlike such trojanized apps that ask for extensive permissions, apps abusing this Android feature do not trigger special alerts because this functionality is normal.
Attacks can be even more subtle, with apps injecting ads during the runtime of others. Because the back button is disabled, these ads would probably have a high click-through rate.
According to CNET, Google said that so far it hasn't encountered any applications that abuse this functionality and that any would be immediately removed from the Android Market.
Google is probably relying on users to identify such apps when they appear and report them, but it would be difficult for them to determine which apps generate the ads.
Until Google removes the apps their creators might have already earned enough revenue to justify their creation in the first place. In fact, now that the news is out, it wouldn't be surprising to see click fraud trojans abusing this functionality.