We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft.
Spotify quickly responded to our discovery by fixing the flaw in the 1.1.1 version of the app. Users are encouraged to make sure they are using the latest version of Spotify for Android.
The vulnerability affects a specific activity (com.spotify.mobile.android.ui.activity.TosTextActivity), which is designed to retrieve and show Spotify web pages on the app. The vulnerability causes the content of these exported web pages to be visible to other apps installed in the phone. Furthermore, the bug can allow a separate app, process, or thread to trigger the activity without the need for additional permissions.
Using a malicious app, an attacker can exploit this activity to alter the content being shown by the app to users. For example, we were able to show the Google home page on the Spotify app. Far more malicious pages can also be displayed within the app.
Figure 1. Official Spotify app displaying Google home page
Figure 2. “Malicious” page that could be displayed by the app
It should be noted that the malicious app can trigger and “minimize” the activity at will. If a user tries to stop the Spotify app by using the “Back” button, the malicious content will show up on the screen. Users who may not be overly familiar with the app might view this action as a normal routine for the app.
Because potential attacks do not require additional permissions, users may not be aware of any suspicious activity that may arise from this situation. No additional permissions also mean that AV solutions and threat researchers may find it harder to detect and analyze malicious activity.
Potential for Phishing Attacks
Attackers may take advantage of this vulnerability to create phishing pages that ask for sensitive information such as user names, passwords, contact details, and even payment information. The latter is especially plausible considering Spotify offers both free and premium services. A well-crafted phishing page might cause users to assume that the request for financial information is part of a routine or process. A phishing page is often just the first step to other schemes. The stolen information could be used for other schemes such as identity theft, fraud, or even targeted attacks.
Cybercriminals may also create pages that will lead users to other threats such as malware. Because the vulnerability lies within the official app—compared, say, to a fake Spotify app—users will be prone to believe the malicious pages being displayed. These scenarios are similar to ones we previously discussed in our blog entry, Android App Components Prone to Abuse.
Spotify has fixed the flaw in Version 1.1.1 of the Android app. We advise Spotify users to upgrade to that version or download the latest version to help protect themselves against this issue or visit the Google Play store to automatically get the latest update. At the time of publishing, the latest version is 1.1.2.
As of this writing, we are not aware of any attacks using this vulnerability.