“Cross-Site Request Forgery” Vulnerability
Cross-Site Request Forgery (CSRF) is a malicious exploit where unauthorized commands are transmitted by a compromised app used by a consumer, with the requests viewed as trusted by the service receiving them.
The Phone-paid Services Authority has detected this vulnerability.
The consumer downloads an app from the Google play store. In this case, the app was called ‘Simple Speed Booster’.
During use, the consumer is shown a screen to indicate the app is performing some actions. This appears as below to the user:
In the background, the app is programmatically loading a Payforit page, although it could also exploit a PSMS service. Once loaded it initiates a transaction by programmatically completing a transaction, without the consumers consent.
As the transaction remains hidden to the consumer by the app, the consumer only becomes aware of financial charges once a receipt message is received.
This exploit takes advantage of apps on Android devices.
Best Practice Solution
We are looking to create a whitelist of “trusted” apps (such as Facebook, YouTube etc) and block requests from unverified apps.
Blocking unverified requests by default will limit the scope to target other apps through the creation of new apps that have not been blocked.
This approach will allow apps that are verified and legitimate to continuing operating PRS services (when appropriate) but prevent security vulnerabilities within Android Apps affecting the services of unsuspecting PRS providers.