This post is also available in: עברית (Hebrew)
A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone – see the clip below.
The researchers tested the method and found it was successful between 82% and 92% of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48% success rate, was the only app they tested that was difficult to penetrate.
Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.
The researchers monitor changes in shared memory and are able to correlate changes to what they call an “activity transition event,” which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.
There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.
“By design, Android allows apps to be preempted or hijacked,” Qian said. “But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”