Patching Android vulnerabilities
NSF-funded computer scientists identified vulnerabilities in Android operating systems, protecting users from cyberattacks
March 27, 2018
This material is available primarily for archival purposes. Telephone numbers or other contact information may be out of date; please see current contact information at media contacts.
In May 2017, NSF-funded computer scientists uncovered vulnerabilities in the Android operating system that would allow attackers to view information on a user's phone. The vulnerability occurs when the device's owner activates a legitimate app that requests permission to overlay a feature, such as a chat window, on the phone's screen.
When enabled, this feature -- the "cloak" -- lets a hacker superimpose a fake window on top of the mobile user's window without their knowledge. The second app -- the "dagger" -- takes information captured by the hacker's "fake" window and conveys it to the real app beneath, giving the appearance that everything is normal.
The scientists alerted Google and worked with the company to implement a fix. A patch for the problem was released in early September 2017.
Directorate for Computer and Information Science and Engineering
#1017265 TC: Small: A Foundational and Practical Platform for Host Security Applications
#0831300 Collaborative Research: CT-L: CLEANSE: Cross-Layer Large-Scale Efficient Analysis of Network Activities to Secure the Internet