News  Android
Android Task Hijack

Android on the ropes ... again

Oh man, is Android taking a battering at the moment. Right after the infamous Stagefright bug, and its botched fix, we have the Android Task Hijack bug, which this time puts every single release of Android at risk.

The exploit was presented at the USENIX Security 15 conference in Washington DC recently and is detailed in a pdf. Proof-of-concept demonstrations were shown which could result in UI spoofing, denial-of-service and user spying attacks.

The 5 man team from Pennsylvania State University who discovered the vulnerability have notified Google.

Video shows the Task Hijack attack in action

A video showing how PayPal credentials can be stolen from an infected device has been released:

This example is rather crude - in reality, a user would have no reason to suspect any wrongdoing since the fake login screen would look identical to the real one.

"Every version affected"

Because this vulnerability is targeted at a fundamental Android function - its multitasking - it affects every version. In fact the team has studied over 6.8 million apps and found many are affected.

Android has really been battered recently - just as the new version, Marshmallow, is announced. Hopefully Google will be able to address these vulnerabilities asap and none of them will be present when it launches later in the year.