Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.
Although it was tested only on an Android phone, the team believes that
the method could be used across all three operating systems because all
three share a similar feature: all apps can access a mobile device’s
shared memory.
In a paper being presented Friday at the Usenix cybersecurity conference, the engineers said they also could steal check images from a Chase app with an 83 percent success rate and hack personal information such as address and Social Security numbers from H&R Block (success rate 92 percent), Newegg (86 percent), WebMD (85 percent), Hotels.com (83 percent) and Amazon (48 percent) apps.
 |
| Zhiyun Qian, an assistant professor at UC Riverside. |
The researchers started working on the method because they believed
there was a security risk with so many apps being created by some many
developers. Once a user downloads a bunch of apps to his or her smart
phone they are all running on the same shared infrastructure, or
operating system.
“The assumption has always been that these apps can’t interfere with
each other easily,” Qian said. “We show that assumption is not correct
and one app can in fact significantly impact another and result in
harmful consequences for the user.”
2. Camera peeking attack steals your personal check image in Chase app: In this video we show an unprivileged app running in the background can track Chase app’s running state (we call such state UI state), and steal the check photo shot by the user. From the check photo, the attacker can successfully get many highly-sensitive personal information such as home address, check recipient name, bank routing number, account number, and even the user’s signature.
3. Activity hijacking attack steals your credit card number and shopping ship address information in NewEgg app: In this video we show an unprivileged app running in the background can track NewEgg app’s running state (we call such state UI state), unnoticeably inject two Activities into foreground and steal user’s credit card number and shopping ship address information.
Published Research Paper
Sources: UCR Today & CNET
Industrial Cybersecurity
September 28, 2023
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
The energy sector’s importance is underscored by its designation as an “enabling function” across all critical infrastructure sectors, as per Presidential Policy Directive 21. Serving
If you are tired of the old smartphone, but it can still open Facebook, Instagram, 22Bet, or other platforms, don’t try to buy a new
This article is the part of Android Hacking tutorial; it covers step by step guide to exploit Android ADB to get the persistent connection back
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
