Header Ads

Security Vulnerability of Gmail on Android apps

Computer scientists the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a new weakness they believe to exist in Android, Windows, and iOS platforms that could allow possibly be used by hackers to obtain users’ personal information using malicious apps.

A group of security researchers has successfully discovered a method to hack into nine six out of seven popular Smartphone apps, including Gmail across all the three platforms - Android, Windows, and iOS operating systems - with shockingly high success rate of up to 92 percent.

The team of researchers - Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan - will present its paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" (PDF), at the USENIX Security Symposium in San Diego on August 23.

The paper detailed a new type of hack method, which they call a UI [user interface] state interference attack - running the malicious app in the background without users’ knowledge. You can watch some short videos of the attacks in action below.

Although, the researchers demonstrated the hack using an Android device, but they believe that the same method could be used across all three operating system platforms because when a users download multiple number of apps to their smartphone devices, the apps are all running on the same shared platform, or operating system.
"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
Therefore users leave themselves open to such attacks as an Android phone allows itself to be hijacked or pre-empted. According to the team, the method could allow a hacker to steal a user's password, social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data. The team tested and found some of apps including WebMD, Chase and Gmail vulnerable.

Demonstrating the method of attack on an Android device, an unsigned app such as a wallpaper changer carrying malicious code is first installed on the user's phone. Once installed, an attacker can use it to access an entry point that the researchers call a "shared-memory side channel" - exists in nearly all popular Graphical User Interface (GUI) systems - of any process, which doesn't require any special privileges.

No comments

blogmytuts. Powered by Blogger.