Hacker Neue

Preferences
gnabgib parent
> Requires a victim to first install a malicious app on an Android phone or tablet

As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.

0cf8612b2e1e
That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.

The obvious joke, how long has Facebook been using this exploit?

OgsyedIE
Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.

The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.

AmbroseBierce
The app needs to be opened by the user for the exploit to work, as seen in the video the researchers published, so the surface attack is big but not that big.
rkagerer
I have definitely opened the wrong app by accident on a smartphone - super easy to tap the wrong thing in a variety of situations (grasping at an awkward angle to snap a photo, pocket taps, etc).
kelvinjps10
I recommend the program universal android debloater, it will uninstall all those apps
kotaKat
Unless the manufacturer has placed their malware loader into the “nodisable” list.

Motorola are assholes and now prevent you from using pm to disable any of their malware loader apps on most of their phones.

autoexec
> That the app does not require permissions is the notable bit here.

The article mentions that "the attacker renders something transparent in front of the target app". I would have thought that sort of thing would require the "appear on top" permission.

SoftTalker
This sounds like a trick I read about years ago. Disappointing if it hasn’t been fixed.
hulitu
> The obvious joke, how long has Facebook been using this exploit?

They were caught exfiltrating data fron phones, with no visible Facebook app installed, only the background one.

oefrha
Yes, just because a popular blog about a infamously insecure operating system shrugged off certain classes of security problems as “you’re holding it wrong” two decades ago, OS security should be held to the same standard as that piece of shit OS forever. Nothing to see here.

Edit: IIRC the original argument was more reasonable, but it has since been abused in all kinds of situations to make low effort putdowns, like this one.

_ink_
It can happen quickly. The app itself might be legit, but it may be based in a SDK which is either malicious or compromised.
Brybry
And there are a lot of automatically installed junk apps on most phones. And every OTA update seems to add more.
TZubiri
> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.

perching_aix
Raymond Chen's saying is about trust boundaries. That if there's no trust boundary defined, or if a defined boundary is being crossed with consent, then it is unsound to claim there being a security vulnerability (which would be a behavior that allows for crossing a trust boundary without consent).

This doesn't apply in this case, as (usermode apps') screen capturing does require permission, and applications can specifically opt-out from being captured by apps even with that permission, which Google Authenticator does have set. So a trust boundary is being violated, therefore this is a legitimate security issue by his logic.

AmbroseBierce
It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack

PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.

esseph
Right, but if you were using TOTP or SMS 2FA, because said bank is a "global leader" but hasn't evolved their end user tech in a long time...
ranger_danger
https://0x0.st/XJZT.jpg
autoexec
That's a bit silly since seat belts were never designed or intended to protect against missiles. If a missile blows up your car that's no fault of your seat belt. You should expect android to prevent other apps from knowing what other apps you have installed and prevent them from accessing data they display though.
ActorNightly
In other news, there are substances in the household that are so dangerous that it can can kill you.

First it requires the user take buckets of ammonia and bleach and mix them together.

TZubiri
To be fair, it's more like, you can buy a bottle of ammonia, and then get poisoned by eating an apple.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal