A team of researchers have discovered a flaw across Android, iOS and Windows operating systems that could allow malware to steal personal information. Researchers discovered that six out of seven popular apps could be hacked with up to a 92 percent success rate.
Researchers from University of California Riverside Bourns College of Engineering and the University of Michigan have tested it on an Android phone, but the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device's shared memory.
The researchers have showcased a malware running on an Android smartphone with the malicious software able to steal information such as login details, credit card numbers and even sensitive pictures taken with the victim's smartphone camera.
"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
The researchers tested the method on seven popular apps. Among the apps they easily hacked were Gmail, CHASE Bank, Hotels.com and H&R Block. Amazon was the only app they tested that was difficult to penetrate with a 48 percent success rate. The team said this was most likely due to the UI model Amazon uses in its app.
"The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature," the researchers write in the paper.
The team will be presenting its paper at the, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" (PDF), USENIX Security Symposium in San Diego on August 23. Here are some short videos to see the attacks in action:
The number of cyber attacks has increased considerably in the last year. Yahoo and Google have recently teamed up to create spy-free email systems that will make it impossible for hackers to scan users messages. The internet giants recently made phone numbers mandatory for creating new email-ids.
Source: Phys.org, UI State Inference Attack