UI REDRESSING ATTACKS ON ANDROID DEVICES presented at Blackhat Abu Dhabi 2012

by Marcus Niemietz,

Tags: Android Attack Defence Tapjacking

Summary : In this presentation, we describe novel high-impact user interface attacks on Android-based mobile devices, additionally focusing on showcasing the possible mitigation techniques for such attacks. We discuss which UI redressing attacks can be transferred from desktop- to mobile- browser field. Our main contribution is a demonstration of a browserless tap-jacking attack, which greatly enriches the impact of previous work on this matter. With this technique, one can perform unauthorized home screen navigation and attempt actions like (premium number) phone calls without having been granted appropriate privileges. To protect against this attack, we introduce a concept of a security layer that catches all tap-jacking attempts before they can reach home screen/arbitrary applications.