Developers warn of Android pop-up threats

Summary:Researchers have discovered what they say is a design flaw in Android that could be used by criminals to steal data via phishing or by advertisers to bring annoying pop-up ads to phones.

Developers can create apps that appear to be innocuous but which can display a fake bank app log-in page, for instance, when the user is using the legitimate bank app, Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave, said ahead of his presentation on the research at the DefCon hacker conference today.

Currently, apps that want to communicate with the user while a different app is being viewed just push an alert to the notification bar on the top of the screen. But there is an application programming interface in Android's Software Development Kit that can be used to push a particular app to the foreground, he said.

The researchers have created a proof-of-concept tool that is a game but also triggers fake displays for Facebook, Amazon, Google Voice, and the Google e-mail client. The tool installs itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots, Percoco said.

For more on this story, read Android could allow mobile ad or phishing pop-ups on CNET News.

Topics: Banking, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.