Announcing their findings at the DefCon 19 event in Las Vegas at the weekend, Nicholas Pecoco, Trustwave's head of SpiderLabs and Sean Schulte, a Trustwave developer, said that the structural flaw allows developers to create apps that display a fake log-in page or present users of smartphones or tablets with pop-ads from third parties.
According to the CNet newswire, current apps on the Android platform that want to communicate with the user whilst another is in the foreground push an alert to the notification bar on the top of the screen.
But, says the newswire, there is an API - application programming interface - within Android's software development kit that can be used to push a particular app to the foreground.
The Phandroid newswire, meanwhile, reports that the flaw allows developers to override the standard for stepping back to the previous Android function (the back button) and allows the app to move into the foreground.
The vendor is calling the security problem the `Focus Stealing Vulnerability.'
Phandroid says that the researchers have created a proof-of-concept tool that is a game but also triggers fake displays for sites such as Amazon, Facebook and others. The tool, the newswire adds, installs itself as part of a payload inside a legitimate app and registers as a service, meaning it will return, even after phone reboot.
Trustwave says that Google has been made aware of the problem with Android, but is reportedly trying to develop a solution that does not affect legitimate apps that use the features that could be exploited by hackers.
This could be easier said than done, Infosecurity notes, as because the flaw is a structural one, it may require a recoding of the Android main code itself, meaning an operating system upgrade is required to solve the issue.