Security researchers claim to have found a way for malware developers to target Android phones with phishing and pop-up scams using its push' alert feature for apps.
The SpiderLabs advanced security team at Trustwave said the ability of Google's mobile operating system (OS) to push one application to the front of active processes to deliver notifications could be exploited by cyber criminals.
A counterfeit mobile banking app could, for instance, push a fake login page to a user in order to steal username and password details in a phishing exploit.
Or, the researchers suggested, it could more simply but no less intrusively be used to push pop-up adverts onto a user's screen every time they tried to use an affected app. Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave said that, because of the push nature of Android notifications, users were more likely to mistakenly trust them.
Percoco and Trustwave SSL developer Sean Schulte revealed their findings by demonstrating a proof of concept targeting Facebook, Amazon and Google passwords. Google has reportedly responded by saying that it did not regard the design feature as a flaw at all.
"Switching between applications is a desired capability used by many applications to encourage rich interaction between applications," it said in a statement sent to IT Pro.
The software giant also said it had not encountered any examples of the feature being exploited maliciously but that, if it did, it would remove the offending apps from the Android Market.
Percoco and Schulte countered during their DefCon hacking conference presentation that waiting to remove an app using this feature maliciously after it has been reported was "dangerous".
Meanwhile, a security expert recently predicted five per cent of all Android and Apple iPhones will be infected with malware in 2012.
