A new study shows that a weakness in the Android
operating system can be used to steal sensitive, personal information from unwitting users. The researchers behind the study tested the hack on an Android phone, but say it can likely also affect devices using other operating systems.
The vulnerability involves a “UI state inference attack" that lets hackers present a fake user interface (UI) screen at exactly the moment when the user is planning to enter sensitive data.
Here's how it works: the malicious app lets attackers track what a user is doing on his phone. Then, when the user goes to log into a target app, say a banking app, the hackers insert an identical -- but fake -- login screen. The malicious app can then steal the data the user is entering into the target app.
Gmail App Particularly Vulnerable
The researchers, who hail from the University of Michigan and the University of California, Riverside, presented their findings at the 23rd USENIX Security Symposium taking place in San Diego, Calif.
They tested seven popular apps and successfully hacked six of the apps between 82 percent and 92 percent of the time. The Android Gmail app was one of the easiest apps to attack, the researchers said.
They were also able to hack Android apps from H&R Block, Newegg, WebMD, Chase Bank, and Hotels.com. The researchers were able to access sensitive information such as login credentials, images of checks containing banking information, Social Security and credit card numbers.
Amazon’s app proved the most difficult to attack using the new hack, resulting in a success rate of only 48 percent. That's because of the flexibility of the Amazon app, which seamlessly transitions from activity to activity, making it more difficult for a hacker to guess what a user is going to do next.
"The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the event feature," the researchers said.
Shared Memory: The Achilles Heel
“The major enabling factor is a newly-discovered shared-memory side channel, which can be used to detect window
events in the target ,” the researchers said. “This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications.”
The malware might know that the UI is presenting a login screen, even without knowing the exact pixels being rendered. Since shared memory is used by all apps, researchers were able to exploit that fact to steal information such as login information and financial details.
The researchers proposed that Android and other mobile operating systems should eliminate elements that they exploited for the attack, such as the proc file side channel. However, they added that more research would be necessary to determine how effective such measures might be, and how much they would impact backward-compatibility or functionality.