Title:

Tapjacking Attack cheetahmobile App

Report ID

SIK-2016-008

Summary:

• Vendor: cheetahmobile
• Product: CM Security (https://play.google.com/store/apps/details?id=com.cleanmaster.security)
• Affected Version: 2.7.3 and 2.8.5
• Severity: medium
• Short summary:

The application is vulnerable to a tapjacking attack, which can trick the user to deactivate security features of the application.

Details:

The application exports a lot of activates and app components, which can be started externally by third party apps. A malicious app can start a component of the app, put an overlay over the component and trick the user to deactivate security features of the application.

For further details about tapjacking and protection mechanism look at:

https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

Workaround

Be worried about spam text dialogs that do not come from the official app.

Suggested Mitigation

Reduce exported application and implement tap jacking protection. The Android API provides different methods to mitigate tapjacking (see: http://developer.android.com/intl/es/reference/android/view/View.html#setFilterTouchesWhenObscured%28boolean%29)

Timeline

• 2015-12-15 Vulnerability Discovered
• 2015-12-21 Vulnerability Reported (1. Try, no reaction)
• 2016-01-18 Vulnerability Reported (2. Try)
• 2016-01-27 Vulnerability Fixed