A newly discovered hacking method appears to have a shockingly high success rate across a variety of popular Android apps. Researchers at the University of Michigan and the University of California, Riverside, discovered that six out of seven popular apps could be hacked with up to a 92 percent success rate.
In a paper to be presented at Friday's USENIX Security Symposium, the researchers detailed a new type of hack, which they call a UI [user interface] state interference attack. A UI state interference attack simply means that the hacker can run the malicious app in the background without the user knowing.
The researchers say it could allow a hacker to steal a user's password and social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data. WebMD, Chase and Gmail were some of apps tested and found to be vulnerable.
In Android, an entry point that the researchers call a "shared-memory side channel" could allow hackers to detect what's going on in a user's app. This security hole is not unique just to Android, so the hack could presumably be used in iOS and Windows as well, the researchers say.
A user would be vulnerable if they downloaded an app that appeared to be benign but in reality was malware; hackers could then exploit this vulnerability to observe whatever personal data the user entered. One example might be when a user opens a banking app and logs in. The hacker would be notified and could begin an "activity hijacking attack," allowing them to get a user's personal information.
Another example could be when a check is deposited electronically. A "camera peeking attack" could steal the image of the check, allowing hackers access to sensitive information such as the bank account number, routing number and signature.
The researchers demonstrate the hacks on their website, showing how they were able to compromise seven different Android apps: WebMD, Gmail, Chase, H&R Block, Amazon, NewEgg and Hotel.com. They said they managed to hack into Gmail and H&R Block about 92 percent of the time. The Amazon app proved to be least vulnerable, they said, with a hacking success rate of about 48 percent. They said this was most likely due to the UI model Amazon uses in its app; instead of having the same screen and different text, Amazon provides a different options menu for each activity.
"The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature," the researchers write in the paper.
The three researchers who made the discovery are Qi Alfred Chen, a PhD Candidate at the University of Michigan; Zhiyun Qian, an assistant professor at University of California, Riverside; and Z. Morley Mao, an associate professor at the University of Michigan.