Smartphone users, beware: The apps you’re using may not be as secure as you think, according to new collaborative research from the University of Michigan and the University of California in Riverside.
The assumption has always been that these apps can’t interfere with each other easily,” says Zhiyun Qian, an assistant professor at the University of California and co-author of the report. “We show that assumption is not correct, and one app can in fact significantly impact another and result in harmful consequences for the user.”
In a demonstration using an Android phone, the researchers show how a hacker can introduce a fake screen at the same time the user is expecting to enter sensitive data.
The method was successful between 82 and 92 percent of the time on six of the seven popular apps they tested. Gmail, Chase Bank, and H&R Block were among those easily compromised. Of the seven apps tested, Amazon gave the team the most trouble, but still managed a 48 percent attack success rate.
But how do hackers gain access in the first place?
The attack starts when a user downloads a seemingly benign app, controlling the phone’s wallpaper, for instance, says Qi Alfred Chen, a doctoral student in electrical engineering and computer sciences at U-M. When that app is running in the background, attackers can access the shared memory without needing any special privileges.
The researchers monitored changes in the shared memory and correlated the changes to what they call an “activity transition events.” These included logging into a service or photographing a check so that it could be deposited online. Augmented with a few other side channels, the team could fairly accurately track user activity in real time, thereby allowing a hacker to accurately time the entrance of a fake screen.
We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” Chen says. “It’s seamless because we have this timing.”
Chen suggests that check images are a particular risk. “A camera-peeking attack can steal your account number, home address, and even your signature,” he says.
The researchers believe their method will work on other operating systems in which apps can access the phone’s shared memory freely. This feature allows processes to share data efficiently, but it also allows malware to track user behavior.
Don’t install untrusted apps,” says Qian when asked what a smartphone user can do about this situation.
Chen adds that users should also be wary of the information access requested by apps on installation.
To watch videos that show how the attacks can steal login and social security information, click here.