Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm stuck on the part of the attack where the malicious app opens another app:

> 2. Attacker app opens Google Authenticator's main activity

> 3. Attacker app opens a stack of activities to include graphical operations on pixels displayed by Google Authenticator's main activity

Android allows apps to call other apps? While remaining in the foreground? How does that work? I don't think iOS allows this.



> Android allows apps to call other apps? While remaining in the foreground? How does that work?

From the paper:

Recall from Section 2.1 that when a caller activity sends an intent to a callee activity, Android moves the callee activity to the foreground (along with its task’s back stack if android:-launchMode="singleTask") and moves the caller activity to the background.

However, despite no longer being in the foreground, the caller activity is still allowed to send intents that start additional activities from the background. For example, the caller activity can send another intent to launch a second callee activity.

In this case, the second callee moves to the foreground, while the first callee is moved to the background. Further, SurfaceFlinger treats the window of the second callee as being overlaid in front of the window of the first callee.

In our framework, the attacker app leverages this behavior to layer a stack of semi-transparent activities in front of a newly launched victim activity. In the following, we describe how the attacker uses this stack and SurfaceFlinger’s APIs to isolate, enlarge, and transmit individual pixels from the victim activity.


So kinda like Strandhogg and Tap jacking had a horrible security breach baby


What I got from the article is the malicious app could read the SMS or email which may contain a 2FA code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: