Right, Until I see the code or a live demo, it looks like "hijacking the launcher" is just installing a customer launcher. There should be a dialog that prompts you to choose which launcher you want to use, but the demo doesn't show this. Was the phone prepped? Is there a vulnerability in "readdressing"?
No one seems to every reply or actually give a demo of it, so it's hard to tell. The comments are interesting, but don't provide enough detail for anyone to take action or help :\ -Tim Strazzere On Mon, Sep 10, 2012 at 11:26 AM, Jared O <[email protected]>wrote: > Back to the "custom launcher" malware, the best information I've read was > in the comments on the original NCSU blog post by Xuxian > > http://web.ncsu.edu/abstract/technology/wms-jiang-clickjack/ > > - Jared O > > > On Thursday, September 6, 2012 1:08:10 PM UTC-4, strazzere wrote: > >> What's leading you to believe #2? I agree that is the solution if this is >> indeed tapjacking. >> >> Though sadly, every time I or other people have asked for a PoC or >> explanation, we've been met with radio silence. Until I can get my hands on >> this or a full explanation, I'm inclined to believe that this "rootkit" is >> just a custom launcher. >> >> -Tim Strazzere >> >> >> On Thu, Sep 6, 2012 at 10:04 AM, Subodh Iyengar <[email protected]>wrote: >> >>> Three things: >>> 1. This type of malware is already known in the community, so much so >>> that it already has a name for itself, "Tapjacking". >>> 2. This is already solved using the setFilterTouchesWhenObscured flag in >>> Gingerbread and beyond. >>> 3. This type of not really a "rootkit", when the OS can detect it's >>> running. >>> >>> >>> On Wednesday, July 4, 2012 2:22:05 AM UTC-7, RichardC wrote: >>>> >>>> http://www.theregister.co.uk/**2**012/07/04/poc_android_**clickjac** >>>> king_rootkit/<http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking_rootkit/> >>>> >>>> >>>> *"The clickjacking vulnerability is present in Android 4.0.4 (Ice >>>> Cream Sandwich) and earlier versions of the smartphone OS. The mechanism - >>>> described as a "user interface readdresing attack" - means the malware can >>>> be installed by a user thinking he or she is agreeing to some other action >>>> and without a reboot. No privilege escalation is needed, nor any nobbling >>>> of the operating system's core kernel."* >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Android Security Discussions" group. >>> To view this discussion on the web visit https://groups.google.com/d/** >>> msg/android-security-discuss/-**/bb9GUmu-cVEJ<https://groups.google.com/d/msg/android-security-discuss/-/bb9GUmu-cVEJ> >>> . >>> >>> To post to this group, send email to android-secu...@**googlegroups.com. >>> >>> To unsubscribe from this group, send email to android-security-discuss+* >>> *[email protected]. >>> For more options, visit this group at http://groups.google.com/** >>> group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en> >>> . >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/ZJuSmvcCPiwJ. > > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
