Researchers at security firm Promon have revealed an Android vulnerability that is being exploited by a malicious program that can use to steal a user’s bank account. Vulnerabilities exist in a multitasking feature called TaskAffinity, which allows applications to assume the identity of other apps or tasks running in a multitasking environment.
A malicious program can use this feature to set one of its activities to match the name of a package that trusts a third-party app. A malicious app that combines other spoofing methods can hijack a target task and request permission to perform sensitive tasks such as recording audio, taking photos, reading text messages, or phishing login credentials.
Security researchers have discovered that 36 malicious apps are exploiting the vulnerability, and some are even entering the official Google Play market. Google has released the app after receiving the report, but this vulnerability affecting all Android versions has not been fixed.