Security researchers have identified a flaw in Android, Windows and iOS operating systems that they said can be used to steal personal information from unsuspecting users who communicate with Gmail, Chase Bank and other popular apps.
Researchers at the University of California, Riverside and the University of Michigan have discovered a new type of hack called a user interface state interference attack, which essentially means that hackers can run a malicious app in the background of a users’ device without their knowledge. The paper, which will be presented at Friday’s Usenix Security Symposium in San Diego, says that hackers could steal a user’s password and social security number while also sneaking a look at a banking app or credit card numbers.
The researchers demonstrated the hack in an Android phone only, but believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. The researchers said their method was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested.
The hack is carried out when users download what appears to be a harmless app (such as an app for background wallpaper) that gives cybercriminals access to their device. Once the hackers are in the operating system, they're able to exploit its "shared memory," a commonly found system that facilities data-sharing between apps. If that process is effective, hackers can then jump from one app to another, logging data that would otherwise be out of their reach.
The researchers said that attacks on Google Inc.'s (NASDAQ:GOOGL) Gmail and H&R Block Inc.'s (NYSE:HRB) app were successful 92 percent of the time. JPMorgan Chase & Co.'s (NYSE:JPM) Chase Bank subsidiary, Newegg.com Inc., WebMD Health Corp. (NASDAQ:WBMD) and Hotels.com LP attacks were successful 83 percent, 86 percent, 85 percent and 83 percent of the time, respectively. Amazon.com Inc.’s (NASDAQ:AMZN) app was the only one that was difficult to infiltrate (48 percent) because the app allows users to transition from one activity to another more seamlessly.
The researchers were inspired to study the apps because there are so many developers creating so many apps, leading them to believe that issues could arise when an individual runs so many programs on the same shared operating system. The best way to avoid such an infiltration, they said, is to only trust well-known apps, in part “background applications do not directly interact with users, so they should not perform privacy-sensitive actions freely.”
“The assumption has always been that these apps can’t interfere with each other easily,” Zhiyun Qian, an assistant professor in the computer science and engineering department at UC Riverside and one of the paper's authors, told Phys.org, a science, research and technology website. “We show that assumption is now correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
The presentation comes in the same week that United Parcel Service Inc. (NYSE:UPS) said hundreds of its stores had suffered a data breach, while Chinese criminals used the dreaded Heartbleed bug to steal millions of Americans’ hospital records.
The researchers created three short videos that show how the attacks work. They can be viewed below: