This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber of vulnerabilities last month.
The latest security blunder opens the door to criminals who want to spy on device owners, steal login details, install ransomware, and so on, it is claimed.
We're told the vulnerability can be exploited to show a spoofed user interface, controlled by an attacker, when someone starts an app: the owner will not be aware that they are typing into another program masquerading as a legit application. "The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system," warned Chuangang Ren, a security researcher from Penn State University. A paper on the vulnerability [PDF] – presented at the USENIX Security 15 conference in Washington DC last week – explained:
The five researchers – Chuangang Ren and Peng Liu, both from the Pennsylvania State University; Yulong Zhang, Hui Xue, and Tao Wei, all from FireEye – have notified the Android team about the findings of their research. Their 16-page paper, Towards Discovering and Understanding Task Hijacking in Android, outlines the risk in greater depth, as well as suggesting possible mitigation techniques.
A quick overview of the vulnerability can be found in the video below.
El Reg asked Google to comment, but we're yet to hear back from the IT giant.
Updated to add
A Google spokeswoman reckons the researchers have overstated the threat, and have failed to factor in protection mechanisms in place in Android. "We appreciate this theoretical research as it makes Android's security stronger," she said.
"Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features."
Due to the recent rash of Android vulnerabilities, it has become clear that a new collective noun for such flaws is required. A "cyber" of flaws is one of several new terms currently being rigorously tested at Vulture Central. If you have any opinions on this or any other suggestions, please feel free to express them in the comment section.
110 Reykjavik, Iceland