#StackBounty: #privacy #android Does the ANeko app demonstrate vulnerabilities in the Android architecture?

Bounty: 100

There is an Android app called ANeko, which lets a cute cat run around your screen. The app doesn’t require any special permissions. When I first started it, I was frightened for several reasons:

  1. It overpaints the home screen and any other screen with its cute cat icon, which I thought was not possible.

  2. The cat even runs around the login screen, which I thought would be a specially protected area.

  3. The ANeko app receives any touch events from any app, although with coordinates (0.0,0.0).

  4. The ANeko app even receives touch events from the login screen.

Now ANeko is only a toy app, and it seems to do exactly what its code on GitHub says. But who knows whether the binary really corresponds to the code?

Are there any legitimate use cases for these features (overpainting, surveilling touch events)?

How can I, as a normal user, protect myself against all touch events being recorded and analyzed? Since even a video of a chips bag can reveal sound recordings, I think that by recording the timing of the touch events, it might be possible to guess the PIN, or passwords, or typical usage patterns.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.