Researchers at the California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.
So far the attack has been tested only on an Android phone, but it is believed that the method could be used across all three operating systems because all three can access a mobile device’s shared memory.
Zhiyun Qian, an associate professor at UC Riverside aid that one app can in fact significantly impact another and result in harmful consequences for the user.”
First, a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process, which does not require any special privileges.
The researchers monitored changes in this shared memory and can correlate see if someone is logging into Gmail, H&R Block, or taking a picture of a cheque to deposit it online via Chase Bank. They managed to hack with a success rate of 82 to 92 percent. Using a few other side channels, the team was able to accurately track what a user was doing in real-time.
It is not that easy. The attack needs to take place at the exact moment that the user is performing the action. Second, the attack needs to be conducted in such a way that the user is unaware of it.
Of the seven apps tested, Amazon was the hardest to crack, with a 48 percent success rate. This is because the app allows one activity to transition to another activity, making it harder to guess what the user will do next.
The team will present its paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks” (PDF), at the USENIX Security Symposium in San Diego on August 23. You can watch some short videos of the attacks in action below.