Developers can create apps that appear to be innocuous but which can display a fake bank app log-in page, for instance, when the user is using the legitimate bank app, Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave, said ahead of his presentation on the research at the DefCon hacker conference today.
Currently, apps that want to communicate with the user while a different app is being viewed just push an alert to the notification bar on the top of the screen. But there is an application programming interface in Android's Software Development Kit that can be used to push a particular app to the foreground, he said.
The researchers have created a proof-of-concept tool that is a game but also triggers fake displays for Facebook, Amazon, Google Voice, and the Google e-mail client. The tool installs itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots, Percoco said.
For more on this story, read Android could allow mobile ad or phishing pop-ups on CNET News.