4 comments

[ 5.5 ms ] story [ 32.3 ms ] thread
No, this is nothing new. The user is in fact manually downloading the app and accepting the permissions. The app then maliciously connects to a server and runs commands without the user knowing. However we already knew that this was possible in Android. It's not a 'zero day vulnerability' or a 'drive by download' at all. Just another example of why you need to be careful what you download on Android.
No, that's not true. Look at the video starting 35 seconds in. The user touching the "Confirmer" button is actually pressing the "Accept" button on the "App Permissions" dialog. But the user doesn't know that, because another window has been overlaid on top of the App Permissions dialog.
Ok, thanks. That wasn't entirely clear from google's French translation.

However you still have to download the dodgy app in the first place. There's a lot of bad stuff that apps can do if you give them permission. This is just a case of a bad app downloading another bad app (perhaps with slightly more permissions).

In the grand scheme of things it doesn't really make much difference -- all apps now request a whole bunch of permissions that most people don't really even care which permissions are being asked for. You really just need to trust the app that you're downloading.

My reading of the vulnerability is that you have some app with few permissions, that then triggers installing an app with many permissions. The user is presented with a confirmation dialog for this installation. However, the low-permission app can overlay a window on top of this dialog, showing any content it likes, and this window can be configured to pass touch events through. So the user thinks he is interacting with this overlay window but is in reality confirming the installation of the new app.