Researchers have developed a proof-of-concept malware running on an Android OS that can silently syphon sensitive data from mobile apps on Android, iOS and Windows Phone with up to a 92% success rate.
The team of experts is composed by Zhiyun Qian, of the Computer Science and Engineering Department at University of California; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.
The expert have demonstrated that malware works also on iOS or Windows Phone operating systems, but they believe that the flaw exploited by the malicious code exists also in them “because they share a key feature researchers exploited in the Android system.”
“The assumption has always been that these apps can’t interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.” said Zhiyun Qian, one of the researchers involved in the development.
Bad actors using a malicious code like the one developed by researchers, could potentially steal information such as login credentials, credit card data and other sensitive data like pictures taken with the victim’s smartphone camera.
The first stage of the attack chain starts when the victim download and instal what looks like a harmless application, which is in fact a component of the malware. The experts said that the process is quite easy for Android mobile, Android users can download the app through third-party app stores. The infection is not easy for iOS platform, because Apple only allows users to download apps from the official App Store.
The success of the attack depends on the presence of the attacker in the proximity of the victim when he provides the sensitive data as explained by the researchers. The attack exploits “a newly discovered public side channel”, it allows the access to the shared memory statistics of an app’s process, an operation that doesn’t require any specific privilege.
The researchers demonstrated the efficiency of the malware based attack on different app, including Gmail, Amazon, Newegg, Hotels.com and an app from Chase bank.
The malware based attack is easy as efficient, the researchers have designed a malicious code that constantly monitors for changes in the shared memory of the target app and once the malware notices a change in an “activity transition event” it captures the data.
The researchers have published three proof-of-concept videos that shows how the attack works, the experts were able to syphon login details, credit card information and pictures.
The test provided interesting results, Gmail was the most vulnerable app with a 92% success rate in capturing sensitive data, while Amazon was the least vulnerable with just a 48% success rate.
“Here is a list of the seven apps the researchers attempted to attack and their success rates: Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), Hotels.com (83 percent) and Amazon (48 percent). Amazon was more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.” states the post on the research.
The researchers will publish their full report, titled Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks on Friday, 22 August at a security conference in San Diego.
Waiting for the final report let me suggest you to avoid to install untrusted applications.
(Security Affairs – mobile apps, hacking)