 |
| Android Marshmallow Tapjacking Test |
The run-time permission model on Android Marshmallow was supposed to
make Android devices secure from apps gathering unnecessary information.
However, it has been brought to public attention that some
malicious apps on Marshmallow have found a way to tapjack your actions into granting them a permissions which you never explicitly granted.
For a malicious app to tapjack your device, it’ll need the screen overlay permission (Permit drawing over other apps).
And once it has the permission, it can potentially trick you into
feeding sensitive data. For example, a malicious app with screen overlay
permission could place a fake password input on top of a real login
screen in order to collect your passwords.
How Tapjacking Works
Developer Iwo Banaś created an application to demonstrate the exploit. It works like this:
- When an app asks for permissions, the malicious app will cover up the original app’s permission box with whatever permissions it wants
- If a user then taps “Allow” on the malicious app’s overlay, he/she will grant it the permission that could potentially risk data on their device. But they won’t know about it.
The folks over at XDA, did a test to check which of their devices
are vulnerable to the tapjacking exploit. Below are the results:
- Nextbit Robin – Android 6.0.1 with June security patches – Vulnerable
- Moto X Pure – Android 6.0 with May security patches – Vulnerable
- Honor 8 – Android 6.0.1 with July security patches – Vulnerable
- Motorola G4 – Android 6.0.1 with May security patches – Vulnerable
- OnePlus 2 – Android 6.0.1 with June security patches – Not Vulnerable
- Samsung Galaxy Note 7 – Android 6.0.1 with July security patches – Not Vulnerable
- Google Nexus 6 – Android 6.0.1 with August security patches – Not Vulnerable
- Google Nexus 6P – Android 7.0 with August security patches – Not Vulnerable
VIA XDA
XDA folks also created APKs to let other users test if their Android
devices running on Android 6.0/6.0.1 Marshmallow are vulnerable to
Tapjacking. Download the apps APKs(Tapjacking and Tapjacking service helper apps) from the download links below and follow the instructions to check Tapjacking vulnerability on your device.
How to Check Tapjacking Vulnerability on Android Marshmallow and Nougat devices
- Install both marshmallow-tapjacking.apk and marshmallow-tapjacking-service.apk files on your device.
- Open Tapjacking app from your app drawer.
- Tap on TEST button.
 |
| Left: Vulnerable | Right: Not vulnerable |
If your device is vulnerable, be sure to ask your manufacturer to
release a security patch to fix the Tapjacking vulnerability on your
device.
How to Safeguard yourself from Tapjacking Vulnerability
If your device has tested positive for the Tapjacking vulnerability, we would advise you to not give Permit drawing over other apps permission
to apps that you do not fully trust. This permission is the only
gateway for malicious apps to take advantage of this exploit.
Also, always ensure that the apps you install on your device come from a trusted developer and source.
Tags
”android tutorial, android tutorial for
beginners, tapjacking, tapjacking android, tapjacking poc, tapjacking
protection, tapjacking protection, supersu tapjacking, wiki
tapjacking, demo tapjacking tutorial, tapjacking example, supersu
tapjacking protection “
Dapatkan Tips Menarik Setiap Harinya!
- Dapatkan tips dan trik yang belum pernah kamu tau sebelumnya
- Jadilah orang pertama yang mengetahui hal-hal baru di dunia teknologi
- Dapatkan Ebook Gratis: Cara Dapat 200 Juta / bulan dari AdSense
0 Response to " How to Test Android for Tapjacking Attack"
Post a Comment
Catatan Untuk Para Jejaker