It's a cool and interesting type of attack, but I really don't care for the breathless clickbait headlines that are sourced to a few security researchers demonstrating an attack in a lab, that has already been patched against and has never been seen in the wild.
> Android allows apps to call other apps? While remaining in the foreground? How does that work?
From the paper:
Recall from Section 2.1 that when a caller activity sends an intent to a callee activity, Android moves the callee activity to the foreground (along with its task’s back stack if android:-launchMode="singleTask") and moves the caller activity to the background.
However, despite no longer being in the foreground, the caller activity is still allowed to send intents that start additional activities from the background. For example, the caller activity can send another intent to launch a second callee activity.
In this case, the second callee moves to the foreground, while the first callee is moved to the background. Further, SurfaceFlinger treats the window of the second callee as being overlaid in front of the window of the first callee.
In our framework, the attacker app leverages this behavior to layer a stack of semi-transparent activities in front of a newly launched victim activity. In the following, we describe how the attacker uses this stack and SurfaceFlinger’s APIs to isolate, enlarge, and transmit individual pixels from the victim activity.
> Requires a victim to first install a malicious app on an Android phone or tablet
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.
The obvious joke, how long has Facebook been using this exploit?
> That the app does not require permissions is the notable bit here.
The article mentions that "the attacker renders something transparent in front of the target app". I would have thought that sort of thing would require the "appear on top" permission.
Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
The app needs to be opened by the user for the exploit to work, as seen in the video the researchers published, so the surface attack is big but not that big.
I have definitely opened the wrong app by accident on a smartphone - super easy to tap the wrong thing in a variety of situations (grasping at an awkward angle to snap a photo, pocket taps, etc).
Yes, just because a popular blog about a infamously insecure operating system shrugged off certain classes of security problems as “you’re holding it wrong” two decades ago, OS security should be held to the same standard as that piece of shit OS forever. Nothing to see here.
Edit: IIRC the original argument was more reasonable, but it has since been abused in all kinds of situations to make low effort putdowns, like this one.
It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
That's a bit silly since seat belts were never designed or intended to protect against missiles. If a missile blows up your car that's no fault of your seat belt. You should expect android to prevent other apps from knowing what other apps you have installed and prevent them from accessing data they display though.
Just use the Google Authenticator's "Privacy Screen" which requires a PIN, pattern, or biometric verification to open the app. This renders this hack unusable ;-)
Unless you social engineer to export the auth code as QR, take a screenshot, extract the secret key which is pretty much in plain bytes and use it to generate TOTP.
There should be a new, stronger word for these kinds of attacks. Like clevevil, or clevil. Yes, pixnapping is clevil. We should strive for the opposite: livelc.
This attack seems to be explicitly exploiting the Android rendering pipeline through a side-channel.
Wayland, once hardened with security-context doesn't directly expose anything worrying (clipboard stealing is possible but would require window focus or the generation of a window which grabs focus). It remains to be seen if there are side-channels hiding somewhere in it or in the various GPU stacks.
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
This really needs to be the link. The article is phrased as if this was a zero day exploiting some kind of 2FA bug, but the actual meat is that it's a novel and really interesting new kind of attack vector (albeit not a particularly practical one) that no one had thought about before.
That's not what's happening here. The attack is exploiting a side channel of the rendering behavior, not reading the screen. There's no particular reason to believe that iOS is immune to something like this, though certainly no claim has been made. It's a new idea, it'll take a while for people to puzzle through the implications.
How are you sure? This isn't abusing some poorly secured screenshot API, this is a timing attack on the GPU rendering process and impacts a wide range of GPUs.
The issue isn't that a trojan gives the attacker access to things they shouldn't have access to, the problem is that android gives the trojan access to things it shouldn't so that the data it collects can be passed back to the attacker.
Would you buy a hammer that can't ever hurt your thumb? What implications would that have? Would that be a good hammer?
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
There was a time when we would have said something similar for table saws that cannot cut off your finger. Might be a little harder to pull off the trick with a hammer, but it just seems like another engineering problem. And it would make for a very expensive hammer.
It probably wouldn't be classified as a hammer anymore. You're comparing apples and oranges. Now when you show me the manual hand saw that can avoid cutting off your fingers you'll have an accurate comparison.
Because we're not comparing air nailers or electric nail guns or screw guns. It was about a hammer.
Your comparison is so ridiculous because the table saw did not obsolete any other kind of saw. It was only a new type of saw that allowed for some types of sawing to be done much easier.
Everybody knows about saw stop. But in what way does a table saw compare with a hammer? If you were comparing it to an air nailer, or an electric nail gun, or an electric screw gun, which all can have safety features that require certain things to be met before it will fire then you have a comparison.
If you want to compare the hammer to something that saws you would compare it to a handsaw. Show me the hand saw that cannot damage your fingers.
You must think you're very smart but I don't think you've done any manual labor in your life. Because the table saw never obsoleted any other type of existing saw. It was simply a new tool that enhanced the ability to do certain types of sawing. The more you limit a function of something the easier it is to put guardrails around it. That was the original poster's point. You can limit Android to the point that it is nearly useless or useless only for the most basic of tasks but then you remove the power of it but you do not remove the need for all of the other tasks.
Table saws with saw stop still necessitate hand saws in some circumstances. Power nailers that have safety features that prevent their discharge and unsafe ways do not obsolete hammers.
While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
You can hurt your thumb with a rubber mallet. Maybe the better metaphor would be kids' safety scissors which I guess represents the iPhone, but I'd still rather go with the Android (regular scissors) because I'm an adult and I'll take responsibility for the risks of using the more powerful tool.
I think one can still build a product that has a level of guard rails without impacting usability.
I also think iOS is more of an opinionated 'set of shears'. E.g. 'Right Hand only Scissors made from proprietary parts, made to only cut objects that 80% of scissor users need to cut' if we were to go down the road of analogies.
Funnily enough Google Android is removing the ability for unsigned non-adb APKs. I would suggest your 'regular' scissors will be slightly bluntened in the upcoming Android 16 OS release.
Android supremacy at its finest. I would never recommend a family member buying one. The history of this kind of thing is long and keeps continuing to happen.
It's a cool and interesting type of attack, but I really don't care for the breathless clickbait headlines that are sourced to a few security researchers demonstrating an attack in a lab, that has already been patched against and has never been seen in the wild.
Good thing every Android phone gets fresh updates all the time then.
with detailed changelogs!
> has already been patched against
... has not been (effectively) patched against, as it happens. Maybe in December!
I'm stuck on the part of the attack where the malicious app opens another app:
> 2. Attacker app opens Google Authenticator's main activity
> 3. Attacker app opens a stack of activities to include graphical operations on pixels displayed by Google Authenticator's main activity
Android allows apps to call other apps? While remaining in the foreground? How does that work? I don't think iOS allows this.
> Android allows apps to call other apps? While remaining in the foreground? How does that work?
From the paper:
Recall from Section 2.1 that when a caller activity sends an intent to a callee activity, Android moves the callee activity to the foreground (along with its task’s back stack if android:-launchMode="singleTask") and moves the caller activity to the background.
However, despite no longer being in the foreground, the caller activity is still allowed to send intents that start additional activities from the background. For example, the caller activity can send another intent to launch a second callee activity.
In this case, the second callee moves to the foreground, while the first callee is moved to the background. Further, SurfaceFlinger treats the window of the second callee as being overlaid in front of the window of the first callee.
In our framework, the attacker app leverages this behavior to layer a stack of semi-transparent activities in front of a newly launched victim activity. In the following, we describe how the attacker uses this stack and SurfaceFlinger’s APIs to isolate, enlarge, and transmit individual pixels from the victim activity.
What I got from the article is the malicious app could read the SMS or email which may contain a 2FA code.
> Requires a victim to first install a malicious app on an Android phone or tablet
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.
The obvious joke, how long has Facebook been using this exploit?
> That the app does not require permissions is the notable bit here.
The article mentions that "the attacker renders something transparent in front of the target app". I would have thought that sort of thing would require the "appear on top" permission.
This sounds like a trick I read about years ago. Disappointing if it hasn’t been fixed.
Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
The app needs to be opened by the user for the exploit to work, as seen in the video the researchers published, so the surface attack is big but not that big.
I have definitely opened the wrong app by accident on a smartphone - super easy to tap the wrong thing in a variety of situations (grasping at an awkward angle to snap a photo, pocket taps, etc).
I recommend the program universal android debloater, it will uninstall all those apps
Unless the manufacturer has placed their malware loader into the “nodisable” list.
Motorola are assholes and now prevent you from using pm to disable any of their malware loader apps on most of their phones.
It can happen quickly. The app itself might be legit, but it may be based in a SDK which is either malicious or compromised.
And there are a lot of automatically installed junk apps on most phones. And every OTA update seems to add more.
Yes, just because a popular blog about a infamously insecure operating system shrugged off certain classes of security problems as “you’re holding it wrong” two decades ago, OS security should be held to the same standard as that piece of shit OS forever. Nothing to see here.
Edit: IIRC the original argument was more reasonable, but it has since been abused in all kinds of situations to make low effort putdowns, like this one.
It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
https://0x0.st/XJZT.jpg
That's a bit silly since seat belts were never designed or intended to protect against missiles. If a missile blows up your car that's no fault of your seat belt. You should expect android to prevent other apps from knowing what other apps you have installed and prevent them from accessing data they display though.
In other news, there are substances in the household that are so dangerous that it can can kill you.
First it requires the user take buckets of ammonia and bleach and mix them together.
To be fair, it's more like, you can buy a bottle of ammonia, and then get poisoned by eating an apple.
Just use the Google Authenticator's "Privacy Screen" which requires a PIN, pattern, or biometric verification to open the app. This renders this hack unusable ;-)
Unless you social engineer to export the auth code as QR, take a screenshot, extract the secret key which is pretty much in plain bytes and use it to generate TOTP.
This is a really interesting new side channel attack. One I had never considered before; it’s like rowhammer but for the screen. Clever. Also evil.
Clever and evil.
There should be a new, stronger word for these kinds of attacks. Like clevevil, or clevil. Yes, pixnapping is clevil. We should strive for the opposite: livelc.
Curious if the same technique would also work on Wayland, given one of its design goals is higher cross-app security compared to Xorg.
This attack seems to be explicitly exploiting the Android rendering pipeline through a side-channel.
Wayland, once hardened with security-context doesn't directly expose anything worrying (clipboard stealing is possible but would require window focus or the generation of a window which grabs focus). It remains to be seen if there are side-channels hiding somewhere in it or in the various GPU stacks.
Don't worry you won't be able to install the bad application in the first place thanks to the new ID backed app signature.
Could this be mitigated by introducing some random timing jitter during rendering?
Source: https://www.pixnapping.com/
Quote:
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
Also, this is the direct paper link: https://www.pixnapping.com/pixnapping.pdf
I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
This really needs to be the link. The article is phrased as if this was a zero day exploiting some kind of 2FA bug, but the actual meat is that it's a novel and really interesting new kind of attack vector (albeit not a particularly practical one) that no one had thought about before.
And they can’t with iPhones?
iOS doesn't let apps silently screen record.
That's not what's happening here. The attack is exploiting a side channel of the rendering behavior, not reading the screen. There's no particular reason to believe that iOS is immune to something like this, though certainly no claim has been made. It's a new idea, it'll take a while for people to puzzle through the implications.
How are you sure? This isn't abusing some poorly secured screenshot API, this is a timing attack on the GPU rendering process and impacts a wide range of GPUs.
Neither does Android. This is a timing attack on rendering.
More accurate title: "There's a new trojan out for android. Like any trojan, it gives the attacker access to things they shouldn't have access to"
The issue isn't that a trojan gives the attacker access to things they shouldn't have access to, the problem is that android gives the trojan access to things it shouldn't so that the data it collects can be passed back to the attacker.
Would you buy a hammer that can't ever hurt your thumb? What implications would that have? Would that be a good hammer?
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
> requires no [Android] permissions
I think this is the part people are upset about
> Would you buy a hammer that can't ever hurt your thumb?
Yes.
I believe those hammers are made by Nerf. Now go build a house with one.
There was a time when we would have said something similar for table saws that cannot cut off your finger. Might be a little harder to pull off the trick with a hammer, but it just seems like another engineering problem. And it would make for a very expensive hammer.
It probably wouldn't be classified as a hammer anymore. You're comparing apples and oranges. Now when you show me the manual hand saw that can avoid cutting off your fingers you'll have an accurate comparison.
Because we're not comparing air nailers or electric nail guns or screw guns. It was about a hammer.
Your comparison is so ridiculous because the table saw did not obsolete any other kind of saw. It was only a new type of saw that allowed for some types of sawing to be done much easier.
Would you buy an electric saw that cannot damage your fingers?
https://www.youtube.com/watch?v=oQu3ccfl7Ow
Or you would yell at a cloud?
Everybody knows about saw stop. But in what way does a table saw compare with a hammer? If you were comparing it to an air nailer, or an electric nail gun, or an electric screw gun, which all can have safety features that require certain things to be met before it will fire then you have a comparison.
If you want to compare the hammer to something that saws you would compare it to a handsaw. Show me the hand saw that cannot damage your fingers.
You must think you're very smart but I don't think you've done any manual labor in your life. Because the table saw never obsoleted any other type of existing saw. It was simply a new tool that enhanced the ability to do certain types of sawing. The more you limit a function of something the easier it is to put guardrails around it. That was the original poster's point. You can limit Android to the point that it is nearly useless or useless only for the most basic of tasks but then you remove the power of it but you do not remove the need for all of the other tasks.
Table saws with saw stop still necessitate hand saws in some circumstances. Power nailers that have safety features that prevent their discharge and unsafe ways do not obsolete hammers.
While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
> Would that be a good hammer?
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
You can hurt your thumb with a rubber mallet. Maybe the better metaphor would be kids' safety scissors which I guess represents the iPhone, but I'd still rather go with the Android (regular scissors) because I'm an adult and I'll take responsibility for the risks of using the more powerful tool.
I think one can still build a product that has a level of guard rails without impacting usability.
I also think iOS is more of an opinionated 'set of shears'. E.g. 'Right Hand only Scissors made from proprietary parts, made to only cut objects that 80% of scissor users need to cut' if we were to go down the road of analogies.
Funnily enough Google Android is removing the ability for unsigned non-adb APKs. I would suggest your 'regular' scissors will be slightly bluntened in the upcoming Android 16 OS release.
Why are you speaking like having a secure device and a powerful device are exclusive options?
TL;DR; This is a timing attack on rendering that allows capture of screen data.
tl;dr: This hack is "using a timing attack exploiting the GPU's graphical data compression to try finding out the color of the pixels."
Tldr: this is a timing-based side channel in GPUs allowing and attacker to read pixels from the screen without special privs.
Side channels are why we can't have nice things.
Android supremacy at its finest. I would never recommend a family member buying one. The history of this kind of thing is long and keeps continuing to happen.