Google Confirms Tapjacking Attack – Likely All Versions Are Affected!

Stephan Huber and I found a dangerous tapjacking vulnerability in the Android Open Source Project (AOSP) which causes serious security issues. Tapjacking, which is similar to clickjacking for web applications, is an attack where the user clicks/taps on seemingly benign objects in applications, triggering unintended actions not actually intended by the victim[1]. This results to dangerous security issues. Unfortunately, we already found malware samples in the wild that include our attack. To the best of our knowledge, the attack seems to apply to all currently available Android versions back til version 2.3. The attack, together with a patch, has already been submitted to the Android Security team who confirmed our vulnerability and add our patch to the next major release of the AOSP. More details on the attack will follow as soon as the AOSP is patched. The contribution is nominated for Google’s Patch Award.

[1] Marcus Niemietz and Jörg Schwenk, UI Redressing Attacks on Android Devices, BlackHat Asia 2014

Combating Dormant Malware Apps with Harvester

Over the past few days, the news has been full of a report of “dormant” malware that infected millions of Android devices. (German article here on The malware previously went unnoticed by laying dormant for several hours, sometimes multiple days, after installation, in some cases even requiring a reboot of the device to become active. Dynamic-analysis procedures usually only run for minutes and for efficiency reasons do not simulate situations like reboot Contrary to the current perception, though, this problem had long been identified, and in fact today with this article we are revealing Harvester, a new tool to address exactly this problem.

Harvester* uses a unique novel combination of static and dynamic analysis and code transformation to (1) identify and eliminate emulator and timeout checks from apps, and (2) that way allows for the extraction of interesting runtime values such as reflective method calls, target numbers of calls to the SMS APIs, account-data hard-wired in the malware, etc. In addition, Harvester is resilient against virtually all current cases of code obfuscation.

Continue reading