Malicious apps are a popular way for scammers to gain control of your phone, but what about data housed within the supposedly secure apps on your device?
A team of researchers from the universities of Michigan and California Riverside have found that just one malware-ridden app on a device can infiltrate other apps on the phone, regardless of their levels of security.
The weakness allowed researchers to access apps like Gmail, Chase Bank, and H&R Block on Android. The vulnerability is also thought to exist on the iOS and Windows Phone platforms, though the team has not yet assessed them. Amazon, with a 48 percent success rate, was the only tested application that was difficult to penetrate.
The culprit, according to the team—Zhiyun Qian (UC Riverside), Z Morley Mao (U. of Michigan), and Qi Alfred Chen (U. of Michigan Ph.D student)—is shared memory.
“The fundamental reason for such confidentiality breach is in the Android GUI framework design, where every UI state change can be unexpectedly observed through publicly accessible side channels,” the report says. “This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications.”
“The assumption has always been that these apps can’t interfere with each other easily,” Qian said in a statement. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
If you download a malicious app, a hacker can then exploit a public side channel to track activity inside other apps. Pulling it off, however, has its difficulties.
According to the researchers, the attack must happen at the exact moment the user is logging into an app like Gmail or taking a photo of a check to deposit online. It then needs to be carried out inconspicuously, so as to not draw attention to the hacker.
“By design, Android allows apps to be preempted or hijacked, Qian said. “But the things is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”
The team attempted to hack seven apps, with varying success rates: Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), Chase Bank (83 percent), Hotels.com (83 percent), and Amazon (48 percent).
There’s not much users can do to fend off attacks, except, perhaps, “don’t install untrusted apps.” When in doubt, don’t download.
Check out the Chase hack in the video below, and the H&R Block and Newegg exploits. The team will present their findings today during the USENIX Security Symposium in San Diego.