Researchers at the University of Michigan and the California University Riverside, discovered that six out of seven popular apps could be hacked with up to a 92 percent success rate using a malware-ridden app on a device and infiltrate other apps on the phone, regardless of their levels of security.
The weakness allowed researchers to access apps like Gmail, Chase Bank, and H&R Block on Android. The vulnerability is also thought to exist on the iOS and Windows Phone platforms, though the team has not yet assessed them. Amazon, with a 48 percent success rate, was the only tested application that was difficult to penetrate.
According to the team—Zhiyun Qian (UC Riverside), Z Morley Mao (U. of Michigan), and Qi Alfred Chen (U. of Michigan Ph.D student), main vulnerability exists in shared memory.
“The fundamental reason for such confidentiality breach is in the Android GUI framework design, where every UI state change can be unexpectedly observed through publicly accessible side channels,” the report says.
By exploiting this vulnerability, the entered personal data can be stolen. One example might be when a user opens a banking app and logs in. The hacker would be notified and could begin an “activity hijacking attack,” allowing them to get a user’s personal information.
Another example could be when a check is deposited electronically. A “camera peeking attack” could steal the image of the check, allowing hackers access to sensitive information such as the bank account number, routing number and signature.
Complete research can be found here and demos can be found here.