Yet another potentially dangerous vulnerability has reportedly been disclosed in the Google's mobile operating system platform – Android.
Android has been hit by a number of security flaws this month, including:
- Stagefright vulnerability that affects 950 Million Android devices worldwide
- A critical mediaserver vulnerability that threatened to crash more than 55 percent of Android devices
- Another critical flaw (CVE-2015-3842) discovered last week, affected almost all the versions of Android devices
The security flaw gives hacker ability to spy on Android smartphone owners, steal login credentials, install malware, and many more, according to the latest research conducted by the researchers at the Pennsylvania State University and FireEye.
How the Attack Works?
According to security researchers, the flaw could be exploited to lure the victim into unwittingly handing over their login details into a spoofed user interface, controlled by a hacker, when an Android user starts an app.
The device owner won't at all be aware that they are typing their sensitive details into a malicious software program masquerading as a legit Android app.
The researchers published their research in a paper titled, "Towards Discovering and Understanding Task Hijacking in Android" [PDF], which they presented at the USENIX Security 15 conference in Washington DC last week.
The study explained practical details of how multitasking within Android differs from multitasking within desktop operating systems that focused on what happens when an app or multiple apps run in one or multiple processes simultaneously creating Multi-Tasks.
Multitasking in Android allows us to gain advantage in a way:
- By being able to switch between the apps
- Apps being able to maintain their state in the background
- Easy task or app switching
Task Hijacking Attacks on Large Scale
Android task management mechanism is threatened by severe security risks. When maltreated, these convenient multitasking features can backfire and initiate task hijacking attacks on a vast scale.
The researchers analyzed more than 6.8 Million apps from multiple Android app stores and found that the task hijacking flaw is prevalent in all apps. Since many Android apps depend on "the current multitasking design, defeating task hijacking is not easy."
The researchers also claimed that the vulnerability can impersonate the user interface of the app, which is controlled by the attacker on the other hand.
You can watch the video to find the quick overview of the vulnerability.
This is just one scenario where the attacker is deploying phishing attack on Android users, and gaining their privacy credentials.
Yet More to Come
There can be instances where the users can be the victims of Ransomware, Distributed Denial of Service (DDoS) attacks and other cyber attacks.
The five security researchers – Peng Liu and Chuangang Ren from the Pennsylvania State University, and Yulong Zhang, Tao Wei and Hui Xue from FireEye – involved in the research reported the security hole to the Android team.
"We appreciate this theoretical research as it makes Android's security stronger," said a Google spokeswoman.
You are safe as; as Google said that customers are protected from hijacking and phishing attacks with Android's Verify Apps and Safety Net features.
Also, you can keep yourself safe by installing apps from trusted sources and keeping your safety completely with you.