Mouse-over-on-mobile feature intentionally allows data-stealing overlay attacks
That took a while: Android’s had Hover since Ice Cream, but boffins have taken until now to work out how to attack it.
Hover is a set of interface calls that let application designers imitate mouse-over behaviours people know from PCs, and it only needs to be implemented on a phone or tablet to be vulnerable – whether or not a particular app supports it.
The researchers, from ETH Zurich and the Sapienza University of Rome, figured out that “any Android application running with a common SYSTEM_ALERT_WINDOW permission” can ”record all touchscreen input into other applications”.
Their paper is here at Arxiv.
In other words, it’s an overlay attack.
Such things aren’t new – The Register has reported on attacks that include overlay exploits in May, June and September of this year alone – but the researchers reckon their “Hoover” attack is more accurate.
Even worse, because SYSTEM_ALERT_WINDOW is a common permission, Hoover attackers don’t need to phish the users, and it’s transparent.
Did we mention it gets even worse? The obvious exploit of Hoover is to grab PINs and passwords, but the boffins who wrote the paper have the kind of devious mind you more easily imagine inhabiting an island fortress than a prim academia.
They note that a Hover-based attack can also watch what apps someone is using (and therefore could redirect them to malicious lookalike apps as updates); or could build a biometric profile of the user, to bypass biometric authentication.
So let’s take a look at how it works.
Hover isn’t much different from a touch-screen interface: it detects the user’s finger or stylus as x-y coordinates, with suitable system calls to Hover events, and it interacts with the UI’s View Objects building blocks.
If you can create a transparent overlay, it’s easy to capture the user’s interaction, but in most similar vulnerabilities the attacker has to trick the user into installing a malicious app.
That’s where the SYSTEM_ALERT_WINDOW permission comes in. People routinely allow apps to use this permission, because it lets them get a popup when a new text message arrives – or a new Facebook notification.
In other words, users have been socially engineered into saying “yes” to notifications.
The paper notes that on Google Play, “there are more than 600 apps with hundreds of millions of downloads each that require SYSTEM_ALERT_WINDOW to be installed”.
In Android, malware is blocked from observing other applications’ clicks – but the researchers found that a malicious, invisible window raised by SYSTEM_ALERT_WINDOW can watch Hover events, and use those to infer the user’s clicks.
The malicious app generates a fully-transparent alert window overlay which covers the entire screen.
The overlay is placed by the system on top of any other window view, including that of the app that the user is using.
Therefore, the malware, thanks to the overlay, can track the hover events.
However, the malicious view should go from active (catch all events) to passive (let them pass to the underneath app) in a “smart way” in time, so that the touch events go to the real app while the hovering coordinates are caught by the malware.
The malware achieves this by creating and removing the malicious overlay appropriately, through the WindowManager APIs, in a way that it does not interfere with the user interaction.
In other words, the Hoover attack pops up its window long enough to catch a Hover event, “guesses” from Hover what the click is going to be, hides the overlay so the user can interact with their application, and raises it again to catch the next input.
A bit of machine learning was required to train the attack, after which the researchers claim accuracy up 79 per cent for finger interactions, and up to 98 per cent for stylus users.
The researchers note this isn’t going to be easy to mitigate: Google will have to balance how to restrict Hover’s permissions without crippling legitimate apps. ®
Sponsored: Customer Identity and Access Management