Security and wireless mobility are always a hot topic of discussion and new antivirus programs are being developed and sold every day…but do they really protect your personal information from hackers? It would probably be no surprise to you or anybody, if the answer were a big, fat, NO! Three researchers – Qian and Qi Alfred Chen and Z. Morley Mao of the University of Michigan – plan to present their findings at the USENIX Security Symposium in San Diego on August 22. Their research paper, "Peeking into Your App Without Actually Seeing It: UI State Interference and Novel Android Attacks" is sure to open some eyes.
According to our source, our modern operating systems are supposed to "sandbox" applications so they cannot affect each other – yet these three researchers have shown that one app can literally "spy" on one another, stealing critical and sensitive information – such as passwords, credit card numbers and even photos – as we enter it on our smartphone. The "spying" app runs quietly in the background, much as a wallpaper runs – always present and always on. The researchers were able to steal a Social Security Number from and H&R Block app, a credit card number from a NewEgg app and check image from a deposit made on the Chase app – these are all illustrated in the three videos below. Researcher Zhiyun Qian of NEC Laboratories America told Phys-Org., "The assumption has always been that these apps can't interfere with each other easily. One app can in fact significantly impact another and result in harmful consequences for the user."
To prevent this type of "spying" or infection, the applications cannot share memory, but due to limited resources, running applications do share memory so that they can all operate more efficiently. While truly sensitive data is "compartmentalized," what the application considers a mundane task can be shared – such as a graphical user interface (GUI). It is through the GUI's fluctuations – the rise and fall of memory allocations of the target app – that the malicious app lies in wait and knows when to do an indirect or "side-channel" attack. To steal an image, the malicious app exploits the preview function and is able to grab the image.
Check out the videos below and you can see for yourself in a side-by-side comparison of what happens on both the attacker's phone and the target phone – pretty scary stuff. The researchers tested seven apps – Amazon, Chase, Gmail, H&R Block, Hotels.com, NewEgg and WebMD – and only Amazon was resistant to this type of attack. They said that its user interface was so complex, it was hard for the attacking app to know what was occurring on the target phone. The three wrote in their research paper, "We expect the technique to be generalizable to all GUI systems with the same window manager design as that in Android, such as the GUI systems in Mac OS X, iOS, Windows, etc." This problem is not just within Android, but one that needs looked into for all operating systems to prevent this type of attack from occurring in the future.