Google Android Focus Stealing Vulnerability Demo

Way back in August 2011, myself and Sean Schulte gave a presentation at DEF CON 19 called "This is REALLY not the droid you're looking for...". This was a continuation of a talk given at DEF CON 18 of similar name. Instead of looking at the Android kernel, we took a look at what bad things can be done with official Google provided tools (SDK). The result was the discovery of a design flaw in the Android operating system that is also referenced in an advisory we published.

Remember back about a decade ago when all the cool kids were making websites that had pop-up ads? You'd be searching for something, click on a link and bomb all these pop-ups would fill your screen. That wasn't so cool, in fact all the browser makers added pop-up blockers to put those kids in time-out. Then some guy started making "pop-behind" ads. That guy was a jerk.

Fast-forward to 2011. Everyone has a mobile device. Lots of folks have Android devices. You download a fun looking game from the Android Market. Install it on your device and give it a whirl. You the decide you want to tell all your friends about this game on Facebook. You exit the game and launch Facebook. It asks for your credentials. You enter them in. The next thing you know some jerk is posting all kinds of crazy stuff to your Facebook time-line. Your mom calls. There goes your afternoon.

What exists today is design flaw in the Android operating system that lets app developers add focus stealing functionality to their app so that they can target end users of other apps. This flaw opens the doors for fake login screens, pop-up ads, and other mahem to have fun on your Android device. Should you trust a login screen on your Android device from now on? Watch the video below and find out.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.