It's a cool and interesting type of attack, but I really don't care for the breathless clickbait headlines that are sourced to a few security researchers demonstrating an attack in a lab, that has already been patched against and has never been seen in the wild.
> Android allows apps to call other apps? While remaining in the foreground? How does that work?
From the paper:
Recall from Section 2.1 that when a caller activity sends an intent to a callee activity, Android moves the callee activity to the foreground (along with its task’s back stack if android:-launchMode="singleTask") and moves the caller activity to the background.
However, despite no longer being in the foreground, the caller activity is still allowed to send intents that start additional activities from the background. For example, the caller activity can send another intent to launch a second callee activity.
In this case, the second callee moves to the foreground, while the first callee is moved to the background. Further, SurfaceFlinger treats the window of the second callee as being overlaid in front of the window of the first callee.
In our framework, the attacker app leverages this behavior to layer a stack of semi-transparent activities in front of a newly launched victim activity. In the following, we describe how the attacker uses this stack and SurfaceFlinger’s APIs to isolate, enlarge, and transmit individual pixels from the victim activity.
> Requires a victim to first install a malicious app on an Android phone or tablet
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.
The obvious joke, how long has Facebook been using this exploit?
Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
> That the app does not require permissions is the notable bit here.
The article mentions that "the attacker renders something transparent in front of the target app". I would have thought that sort of thing would require the "appear on top" permission.
Yes, just because a popular blog about a infamously insecure operating system shrugged off certain classes of security problems as “you’re holding it wrong” two decades ago, OS security should be held to the same standard as that piece of shit OS forever. Nothing to see here.
Edit: IIRC the original argument was more reasonable, but it has since been abused in all kinds of situations to make low effort putdowns, like this one.
> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
Raymond Chen's saying is about trust boundaries. That if there's no trust boundary defined, or if a defined boundary is being crossed with consent, then it is unsound to claim there being a security vulnerability (which would be a behavior that allows for crossing a trust boundary without consent).
This doesn't apply in this case, as (usermode apps') screen capturing does require permission, and applications can specifically opt-out from being captured by apps even with that permission, which Google Authenticator does have set. So a trust boundary is being violated, therefore this is a legitimate security issue by his logic.
It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
That's a bit silly since seat belts were never designed or intended to protect against missiles. If a missile blows up your car that's no fault of your seat belt. You should expect android to prevent other apps from knowing what other apps you have installed and prevent them from accessing data they display though.
There should be a new, stronger word for these kinds of attacks. Like clevevil, or clevil. Yes, pixnapping is clevil. We should strive for the opposite: livelc.
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
This really needs to be the link. The article is phrased as if this was a zero day exploiting some kind of 2FA bug, but the actual meat is that it's a novel and really interesting new kind of attack vector (albeit not a particularly practical one) that no one had thought about before.
Just use the Google Authenticator's "Privacy Screen" which requires a PIN, pattern, or biometric verification to open the app. This renders this hack unusable ;-)
Unless you social engineer to export the auth code as QR, take a screenshot, extract the secret key which is pretty much in plain bytes and use it to generate TOTP.
> Does Google plan to patch these APIs?
>
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Can I assume this is being exploited in the wild? Some black hats must be smart enough to figure out the workaround on their own.
This attack seems to be explicitly exploiting the Android rendering pipeline through a side-channel.
Wayland, once hardened with security-context doesn't directly expose anything worrying (clipboard stealing is possible but would require window focus or the generation of a window which grabs focus). It remains to be seen if there are side-channels hiding somewhere in it or in the various GPU stacks.
Would you buy a hammer that can't ever hurt your thumb? What implications would that have? Would that be a good hammer?
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
You can hurt your thumb with a rubber mallet. Maybe the better metaphor would be kids' safety scissors which I guess represents the iPhone, but I'd still rather go with the Android (regular scissors) because I'm an adult and I'll take responsibility for the risks of using the more powerful tool.
The issue isn't that a trojan gives the attacker access to things they shouldn't have access to, the problem is that android gives the trojan access to things it shouldn't so that the data it collects can be passed back to the attacker.
That's not what's happening here. The attack is exploiting a side channel of the rendering behavior, not reading the screen. There's no particular reason to believe that iOS is immune to something like this, though certainly no claim has been made. It's a new idea, it'll take a while for people to puzzle through the implications.
How are you sure? This isn't abusing some poorly secured screenshot API, this is a timing attack on the GPU rendering process and impacts a wide range of GPUs.
Android supremacy at its finest. I would never recommend a family member buying one. The history of this kind of thing is long and keeps continuing to happen.
It's a cool and interesting type of attack, but I really don't care for the breathless clickbait headlines that are sourced to a few security researchers demonstrating an attack in a lab, that has already been patched against and has never been seen in the wild.
Good thing every Android phone gets fresh updates all the time then.
with detailed changelogs!
1 reply →
In Android world, there is not such thing as "has been patched". It is always A complex situation with all different OEMs, devices and versions.
The patch was committed about 3 months ago, possibly available to OEMs as binary earlier, but devices are probably just receiving these patches.
I bet at least half of all affected Android devices in the world have not got the patch yet if I am optimistic. It's probably near 80-90%.
> has already been patched against
... has not been (effectively) patched against, as it happens. Maybe in December!
I'm stuck on the part of the attack where the malicious app opens another app:
> 2. Attacker app opens Google Authenticator's main activity
> 3. Attacker app opens a stack of activities to include graphical operations on pixels displayed by Google Authenticator's main activity
Android allows apps to call other apps? While remaining in the foreground? How does that work? I don't think iOS allows this.
> Android allows apps to call other apps? While remaining in the foreground? How does that work?
From the paper:
Recall from Section 2.1 that when a caller activity sends an intent to a callee activity, Android moves the callee activity to the foreground (along with its task’s back stack if android:-launchMode="singleTask") and moves the caller activity to the background.
However, despite no longer being in the foreground, the caller activity is still allowed to send intents that start additional activities from the background. For example, the caller activity can send another intent to launch a second callee activity.
In this case, the second callee moves to the foreground, while the first callee is moved to the background. Further, SurfaceFlinger treats the window of the second callee as being overlaid in front of the window of the first callee.
In our framework, the attacker app leverages this behavior to layer a stack of semi-transparent activities in front of a newly launched victim activity. In the following, we describe how the attacker uses this stack and SurfaceFlinger’s APIs to isolate, enlarge, and transmit individual pixels from the victim activity.
So kinda like Strandhogg and Tap jacking had a horrible security breach baby
What I got from the article is the malicious app could read the SMS or email which may contain a 2FA code.
> Requires a victim to first install a malicious app on an Android phone or tablet
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.
The obvious joke, how long has Facebook been using this exploit?
Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
4 replies →
> That the app does not require permissions is the notable bit here.
The article mentions that "the attacker renders something transparent in front of the target app". I would have thought that sort of thing would require the "appear on top" permission.
1 reply →
> The obvious joke, how long has Facebook been using this exploit?
They were caught exfiltrating data fron phones, with no visible Facebook app installed, only the background one.
Yes, just because a popular blog about a infamously insecure operating system shrugged off certain classes of security problems as “you’re holding it wrong” two decades ago, OS security should be held to the same standard as that piece of shit OS forever. Nothing to see here.
Edit: IIRC the original argument was more reasonable, but it has since been abused in all kinds of situations to make low effort putdowns, like this one.
It can happen quickly. The app itself might be legit, but it may be based in a SDK which is either malicious or compromised.
And there are a lot of automatically installed junk apps on most phones. And every OTA update seems to add more.
> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
Raymond Chen's saying is about trust boundaries. That if there's no trust boundary defined, or if a defined boundary is being crossed with consent, then it is unsound to claim there being a security vulnerability (which would be a behavior that allows for crossing a trust boundary without consent).
This doesn't apply in this case, as (usermode apps') screen capturing does require permission, and applications can specifically opt-out from being captured by apps even with that permission, which Google Authenticator does have set. So a trust boundary is being violated, therefore this is a legitimate security issue by his logic.
It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
Right, but if you were using TOTP or SMS 2FA, because said bank is a "global leader" but hasn't evolved their end user tech in a long time...
https://0x0.st/XJZT.jpg
That's a bit silly since seat belts were never designed or intended to protect against missiles. If a missile blows up your car that's no fault of your seat belt. You should expect android to prevent other apps from knowing what other apps you have installed and prevent them from accessing data they display though.
In other news, there are substances in the household that are so dangerous that it can can kill you.
First it requires the user take buckets of ammonia and bleach and mix them together.
To be fair, it's more like, you can buy a bottle of ammonia, and then get poisoned by eating an apple.
This is a really interesting new side channel attack. One I had never considered before; it’s like rowhammer but for the screen. Clever. Also evil.
Clever and evil.
There should be a new, stronger word for these kinds of attacks. Like clevevil, or clevil. Yes, pixnapping is clevil. We should strive for the opposite: livelc.
Source: https://www.pixnapping.com/
Quote:
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
Also, this is the direct paper link: https://www.pixnapping.com/pixnapping.pdf
I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
3 replies →
This really needs to be the link. The article is phrased as if this was a zero day exploiting some kind of 2FA bug, but the actual meat is that it's a novel and really interesting new kind of attack vector (albeit not a particularly practical one) that no one had thought about before.
I would not say "no one had thought about before".
Side channel attack is not a novel idea, just not used to find Android bugs like this.
1 reply →
Just use the Google Authenticator's "Privacy Screen" which requires a PIN, pattern, or biometric verification to open the app. This renders this hack unusable ;-)
Unless you social engineer to export the auth code as QR, take a screenshot, extract the secret key which is pretty much in plain bytes and use it to generate TOTP.
> Does Google plan to patch these APIs? > > Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Can I assume this is being exploited in the wild? Some black hats must be smart enough to figure out the workaround on their own.
Curious if the same technique would also work on Wayland, given one of its design goals is higher cross-app security compared to Xorg.
This attack seems to be explicitly exploiting the Android rendering pipeline through a side-channel.
Wayland, once hardened with security-context doesn't directly expose anything worrying (clipboard stealing is possible but would require window focus or the generation of a window which grabs focus). It remains to be seen if there are side-channels hiding somewhere in it or in the various GPU stacks.
Would you buy a hammer that can't ever hurt your thumb? What implications would that have? Would that be a good hammer?
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
> requires no [Android] permissions
I think this is the part people are upset about
While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
> Would you buy a hammer that can't ever hurt your thumb?
Yes.
I believe those hammers are made by Nerf. Now go build a house with one.
9 replies →
> Would that be a good hammer?
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
You can hurt your thumb with a rubber mallet. Maybe the better metaphor would be kids' safety scissors which I guess represents the iPhone, but I'd still rather go with the Android (regular scissors) because I'm an adult and I'll take responsibility for the risks of using the more powerful tool.
3 replies →
More accurate title: "There's a new trojan out for android. Like any trojan, it gives the attacker access to things they shouldn't have access to"
The issue isn't that a trojan gives the attacker access to things they shouldn't have access to, the problem is that android gives the trojan access to things it shouldn't so that the data it collects can be passed back to the attacker.
Don't worry you won't be able to install the bad application in the first place thanks to the new ID backed app signature.
Could this be mitigated by introducing some random timing jitter during rendering?
And they can’t with iPhones?
iOS doesn't let apps silently screen record.
That's not what's happening here. The attack is exploiting a side channel of the rendering behavior, not reading the screen. There's no particular reason to believe that iOS is immune to something like this, though certainly no claim has been made. It's a new idea, it'll take a while for people to puzzle through the implications.
How are you sure? This isn't abusing some poorly secured screenshot API, this is a timing attack on the GPU rendering process and impacts a wide range of GPUs.
2 replies →
Neither does Android. This is a timing attack on rendering.
You can't put one app on top of another, so that mitigates at least the 1st stage of this kind of attack.
TL;DR; This is a timing attack on rendering that allows capture of screen data.
tl;dr: This hack is "using a timing attack exploiting the GPU's graphical data compression to try finding out the color of the pixels."
Tldr: this is a timing-based side channel in GPUs allowing and attacker to read pixels from the screen without special privs.
Side channels are why we can't have nice things.
Android supremacy at its finest. I would never recommend a family member buying one. The history of this kind of thing is long and keeps continuing to happen.