The team of researchers – Zhiyun Qian
, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen
from the University of Michigan – will present its paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks
), at the USENIX Security Symposium in San Diego on August 23.
The paper detailed a new type of hack method, which they call a UI [user interface] state interference attack – running the malicious app in the background without users’ knowledge. You can watch some short videos of the attacks in action below.
Although, the researchers demonstrated the hack using an Android device, but they believe that the same method could be used across all three operating system platforms because when a users download multiple number of apps to their smartphone devices, the apps are all running on the same shared platform, or operating system.
“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an associate professor at UC Riverside. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.“
Therefore users leave themselves open to such attacks as an Android phone allows itself to be hijacked or pre-empted. According to the team, the method could allow a hacker to steal a user’s password, social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data. The team tested and found some of apps including WebMD, Chase and Gmail vulnerable.
Demonstrating the method of attack on an Android device, an unsigned app such as a wallpaper changer carrying malicious code is first installed on the user’s phone. Once installed, an attacker can use it to access an entry point that the researchers call a “shared-memory side channel” – exists in nearly all popular Graphical User Interface (GUI) systems – of any process, which doesn’t require any special privileges.
The researchers then monitor the changes in this shared memory and were able to determine specific “activity transition events” like a user logging into Gmail, H&R Block or taking a picture of a cheque to deposit it online via Chase Bank.
In all the team tried to access seven apps, out of which six were easily hacked. Gmail and H&R Block were easiest to the hack with a success rate of 92 percent. On the other hand, Amazon was by far the hardest with just a 48 percent success rate.
“The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature,” the researchers write in the paper.
Using a few other side channels, the team was able to accurately detect what a user was doing in real-time on app. Because this security hole is not unique just to Android, so the hack could presumably be used in iOS and Windows as well, the researchers say.
A successful attack requires two things:
- First, the attack needs to take place at the exact moment that the user is performing the action.
- Second, the attack needs to be conducted in such a way that the user is unaware of it.
The team managed to pull this off by carefully timing the attacks.
“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. “It’s seamless because we have this timing.“
At USENIX Security Symposium, the researchers would recommend methods to try and eliminate the side channel, and would suggest more secure system designs, the team said in the paper. But even if you’re want to keep yourself safe from an attack like this, it’s always a good practice to be very careful about the apps you download onto your phone — especially apps from unofficial sources.
Source : THN