University of California

Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.

Although it was tested only on an Android phone, the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device's shared memory.

"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

To demonstrate the method of attack, first a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process, which doesn't require any special privileges.

The researchers then monitor the changes in this shared memory and are able to correlate changes to various activities -- such as logging into Gmail, H&R Block, or taking a picture of a cheque to deposit it online via Chase Bank -- the three apps that were most vulnerable to the attack, with a success rate of 82 to 92 percent. Using a few other side channels, the team was able to accurately track what a user was doing in real-time.

In order to pull off a successful attack, two things need to happen: first, the attack needs to take place at the exact moment that the user is performing the action. Second, the attack needs to be conducted in such a way that the user is unaware of it. The team managed to pull this off by carefully timing the attacks.

"We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen," said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. "It's seamless because we have this timing."

Of the seven apps tested, Amazon was the hardest to crack, with a 48 percent success rate. This is because the app allows one activity to transition to another activity, making it harder to guess what the user will do next.

To circumvent this issue, Qian suggested, "Don't install untrusted apps", adding that users should also be wary of the information access requested by apps on installation.

The team will present its paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" (PDF), at the USENIX Security Symposium in San Diego on August 23. You can watch some short videos of the attacks in action below.