WinSpy: Cross-window Side-channel Attacks on Android's Multi-window Mode

What is it about?

As smartphones get larger and foldable screens become more popular, the "multi-window mode" (running two apps side-by-side) has become a favorite feature for multitasking. However, our research reveals that this convenience comes with a significant, previously overlooked privacy risk. We discovered that when two apps share the screen, the Android system treats them almost equally, allowing them to compete for the phone's computing resources and access motion sensors with high priority. We developed a framework called "WinSpy" to demonstrate how a malicious app running in one window (e.g., a simple calculator or floating widget) can "spy" on the victim app in the other window. Without requiring any special sensitive permissions, the spy app can analyze tiny fluctuations in the phone’s processing speed and invisible vibrations detected by the motion sensors. By doing so, it can accurately figure out which app you just opened, what website you are browsing, and even detect sensitive interactions—such as typing a PIN or tapping the "transfer" button in a banking app. Our work highlights that the current security walls between split-screen apps are too thin and proposes new protections to ensure multitasking remains safe for users.

Featured Image

Photo by Thanos Pal on Unsplash

Photo by Thanos Pal on Unsplash