“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an associate professor at UC Riverside. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.“
“The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature,” the researchers write in the paper.
- First, the attack needs to take place at the exact moment that the user is performing the action.
- Second, the attack needs to be conducted in such a way that the user is unaware of it.
“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. “It’s seamless because we have this timing.“