“The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user,” said FireEye researchers Yulong Zhang, Hui Xue and Tao Wei, in an analysis.
Android developer guidelines classify permissions – the requests that apps make in order to function – into several different strata: “normal”, “dangerous”, “system”, “signature” and “development.”
As FireEye pointed out, dangerous permissions “may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities.” In contrast, normal permissions are automatically granted at installation, “without asking for the user's explicit approval.”
And so, on the latest Android 4.4.2 system, if an app requests normal permissions, even if it’s also requesting dangerous permissions, Android doesn’t display the normal functions to the user. And therein lies the problem. If Android doesn’t notify the user about the normal permissions, then the apps can be modified without the user knowing.
In this case, an attacker can manipulate Android home screen icons using two normal permissions, which enable an app to query, insert, delete or modify the whole configuration settings of the app launcher, including the icon insertion or modification. As a proof-of-concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website.
“Unfortunately, these two permissions have been labeled as ‘normal’ since Android 1.x,” the researchers said. “We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it.”
Google is aware that permissions can potentially be an issue. The permission that allows an app to create icons, for instance, was recategorized from ‘normal’ to ‘dangerous’ ever since Android 4.2. And in this case, Google has acknowledged the vulnerability and has released the patch to its OEM partners. But, “many Android vendors were slow to adapt security upgrades,” the researchers said. “We urge these vendors to patch vulnerabilities more quickly to protect their users.”