A design weakness in Google's Android mobile OS could make it easy for criminals to launch phishing attacks to steal passwords, researchers said.
According to security firm Trustwave, the flaw allows app developers to create fake login pages while the user is on a banking site.
It said the weakness stemmed from the ability to push one application to the front of active processes, rather than use a notification bar alert. The design could also lead to advertising pop-ups, Trustwave said.
"Because of that, the app is able to steal the focus and you're not able to hit the back button to exit out," Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave, told CNet.
Trustwave, as part of a presentation at the Defcon hacking conference, showed off a proof of concept that targeted Facebook, Amazon and Google passwords, with the fake screen replacing the original, which could catch users off guard.
"Rich interaction"
Google said the app issue wasn't a flaw at all, but a part of Android's multitasking capabilities, although Trustwave claimed the company said it was looking into the issue.
"Switching between applications is a desired capability used by many applications to encourage rich interaction between applications,” Google said in a statement sent to CNet.
“We haven't seen any apps maliciously using this technique on Android Market and we will remove any apps that do."
However, Trustwave said waiting for an app to be reported before removing it was a “dangerous” stance.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
