A weakness in Android, Windows, and iOS mobile operating systems could be used to obtain personal information.
Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.
Although it was tested only on an Android phone, the team believes that
the method could be used across all three operating systems because all
three share a similar feature: all apps can access a mobile device’s
shared memory.
In a paper being presented Friday at the Usenix cybersecurity conference, the engineers said they also could steal check images from a Chase app with an 83 percent success rate and hack personal information such as address and Social Security numbers from H&R Block (success rate 92 percent), Newegg (86 percent), WebMD (85 percent), Hotels.com (83 percent) and Amazon (48 percent) apps.
|
Zhiyun Qian, an assistant professor at UC Riverside. |
The researchers started working on the method because they believed
there was a security risk with so many apps being created by some many
developers. Once a user downloads a bunch of apps to his or her smart
phone they are all running on the same shared infrastructure, or
operating system.
“The assumption has always been that these apps can’t interfere with
each other easily,” Qian said. “We show that assumption is not correct
and one app can in fact significantly impact another and result in
harmful consequences for the user.”
Demonstration
1. Activity hijacking attack steals your password and SSN in H&R Block app: In this video we show an unprivileged app running in the background can track H&R Block app’s running state (we call such state UI state), unnoticeably hijack the foreground Activity and steal user’s H&R block login credentials and social security number(SSN).
2. Camera peeking attack steals your personal check image in Chase app: In this video we show an unprivileged app running in the background can track Chase app’s running state (we call such state UI state), and steal the check photo shot by the user. From the check photo, the attacker can successfully get many highly-sensitive personal information such as home address, check recipient name, bank routing number, account number, and even the user’s signature.
3. Activity hijacking attack steals your credit card number and shopping ship address information in NewEgg app: In this video we show an unprivileged app running in the background can track NewEgg app’s running state (we call such state UI state), unnoticeably inject two Activities into foreground and steal user’s credit card number and shopping ship address information.