Security researchers from University of Michigan and the University of California Riverside Bourns College of Engineering have found out a security flaw in Android, Windows, and iOS platforms allowing malicious apps to steal personal information from a smartphone.
At the moment the flaw has only been tested on Android phones, but the team is sure that the same method can be used on all three operating systems due to their similar feature such as the ability of apps to access devices’ shared memory.
The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate, according to UCR blog.
The assumption has always been that these apps can’t interfere with each other easily, said Zhiyun Qian, an associate professor at UC Riverside. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.
The method of attack starts with installing a malware app on the device, it doesn’t t has to be some complex app, a wallpaper app will be good enough to begin with.
Once that app is installed, the researchers are able to exploit a newly discovered public side channel the shared memory statistics of a process, which can be accessed without any privileges, the publication writes, explaining that Shared memory is a common operating system feature to efficiently allow processes share data.
Once the app is installed, the researchers can monitor changes in shared memory and connect them to the device to track user’s activity in real-time.
For a successful attack, keep two things in mind:
1. Make sure that the victims are unaware of the fact that they are under attack.
2. The attack should take place exactly when the user is performing the action.
We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen, said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. It’s seamless because we have this timing.
The researchers have released demo videos showing how exactly the attack is conducted and how the victim’s login credentials and credit card details can be retrieved in real-time.