A few versions of Android ago, at AndroidTR we talked about a potential threat to users that we named “ScreenTR”. For those who do not remember, it was a simple way to, using special permission from Android apps, do phishing on any app on our phone. The main problem was divided into two. First of all, permission was not the kind that the user has to grant. Second, we couldn’t tell whether or not what we saw on our screen was real. Well, Android 12 ends the problem.
Although Google indeed solved the first part of the problem by making the permission more “dangerous” so that the user has to grant it manually. If we managed to trick the user into giving us this permission, we could not be sure who creates the user interface that the apps teach us.
The simplest way to exploit this is to create a simple app that legitimately requires this permission and, once granted, try to pretend a fake interface to banking applications or social networks to obtain our credentials. Once this data is detected, the fake interface disappears and we think that it is only a problem when loading the data.
How does Android 12 fix it?
In addition to the new permissions that will allow third-party stores to compete with Google Play, Android 12 incorporates new permission that allows applications that request it to prevent non-system windows from being drawn on its interface.
The idea behind this is that for example a banking application, you can avoid any type of overlap on it. There is still work in this regard for us to see this new permission in action since, in addition to needing our phone to have Android 12 or higher, it will require that the apps (banking or of any kind) declare it.