Difficult-to-remove Android multitasking bug could leave smartphones open to hijacking

PUBLISHED : Thursday, 27 August, 2015, 7:00am
UPDATED : Thursday, 27 August, 2015, 8:40am

A security hole discovered by researchers in Google's Android operating system could leave smartphones vulnerable to hijacking.

In a series of videos posted on YouTube, researchers from the Cyber Security Lab of Pennsylvania State University demonstrated how the vulnerability could be exploited by a malicious app to take control of someone's phone.

After downloading and running a malicious app on a user's phone, the researchers had complete remote control of the device and access to sensitive data. Unlike previous security breaches detected in Android however, the problem stems from a fundamental feature, without which the whole system would not function.

READ MORE: One in every 10 Android apps 'contains malicious code' – US-China study

That could make fixing the hole incredibly difficult.

At a paper presented at the USENIX security conference earlier this month, the Penn State researchers said that Android's multitasking function – which allows users to run several apps at once and switch between them – makes "all recent versions of Android vulnerable to task hijacking attacks".

In an examination of more than 6.8 million apps on various Android stores, the researchers found the risk to be "prevalent".

“Attackers may steal login credentials, implement ransomware and spy on users' activities,” the paper said.

Ren Chuangang, one of the authors of the study, told the South China Morning Post that he and his fellow researchers had alerted Google to the problem, but the firm said it had "no immediate plan to fix this issue".

"The vulnerability stems from the unique design of Android multitasking," he said.

"Fixing the issue requires balancing security with the usefulness of the feature."

That meant any effort to reduce the security risk would negatively affect user experience, and unless the multitasking feature was removed from Android, or completely reprogrammed, the threat would persist.

“Our intention is to make users aware of the security risks,” Ren said.

“For normal users, the best option is to install software from legitimate official sources, and be cautious of the security risks when using an app from untrusted sources.”

Google did not respond to a request to comment from the Post. Speaking to UK tech site The Register however, a spokeswoman said the researchers had overstated the threat.

"Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features," she said.

However, while that may be true for users in the west, Google's official Play store is blocked in China, and users there are far more used to downloading apps from unverified and potentially malicious sources.

Android has come under fire in the past for poor security. A joint study by Chinese and US researchers earlier this year found that one in every ten Android apps contained malicious code.