

Android 0-day vulnerability – Drive by download - Usu
http://seclists.org/fulldisclosure/2015/Apr/77

======
cpncrunch
No, this is nothing new. The user is in fact manually downloading the app and
accepting the permissions. The app then maliciously connects to a server and
runs commands without the user knowing. However we already knew that this was
possible in Android. It's not a 'zero day vulnerability' or a 'drive by
download' at all. Just another example of why you need to be careful what you
download on Android.

~~~
millstone
No, that's not true. Look at the video starting 35 seconds in. The user
touching the "Confirmer" button is actually pressing the "Accept" button on
the "App Permissions" dialog. But the user doesn't know that, because another
window has been overlaid on top of the App Permissions dialog.

~~~
cpncrunch
Ok, thanks. That wasn't entirely clear from google's French translation.

However you still have to download the dodgy app in the first place. There's a
lot of bad stuff that apps can do if you give them permission. This is just a
case of a bad app downloading another bad app (perhaps with slightly more
permissions).

In the grand scheme of things it doesn't really make much difference -- all
apps now request a whole bunch of permissions that most people don't really
even care which permissions are being asked for. You really just need to trust
the app that you're downloading.

------
millstone
My reading of the vulnerability is that you have some app with few
permissions, that then triggers installing an app with many permissions. The
user is presented with a confirmation dialog for this installation. However,
the low-permission app can overlay a window on top of this dialog, showing any
content it likes, and this window can be configured to pass touch events
through. So the user thinks he is interacting with this overlay window but is
in reality confirming the installation of the new app.

