Science and Tech

Actions

Android Security Flaw Leaves Gmail Vulnerable To Hackers

A security flaw in Android — and potentially all — mobile devices allows malicious apps to exploit a phone's shared memory and seize sensitive data.
Posted

Security researchers have uncovered a major flaw in mobile operating systems which could give hackers easy access to personal information. Here's the scary bit: the exploit can hack into your Gmail account with a 92 percent success rate.

Researchers from the University of Michigan and the University of California, Riverside have detailed a type of hack they're calling a "UI state inference attack." Basically, a malicious app installed on your device can monitor that device's shared memory to get a general idea of what's happening on other apps.

And hackers can use this information to launch a variety of unpleasant attacks — one of the researchers showed how a UI inference attack could hijack the appearance of some apps to steal personal data, or even peek into the device's camera to copy photos. (Video via YouTube / Qi Alfred Chen)

A Greenbot writer notes actually using this vulnerability is pretty complicated. "First, you have to download a malicious app to start monitoring your activity. Then, the attack has to happen at the exact moment you are entering sensitive information. ... The malicious app has to inject a phony, look-alike login screen without the user noticing. That means the fake screen has to be precisely timed."

Despite the difficulty, researchers had pretty high success rates when testing seven popular apps. Gmail and H&R Block were particularly vulnerable, with a 92 percent success rate for the hack, while Amazon's app was only cracked 48 percent of the time.

Phys.org points out the Amazon app was more difficult to exploit since it allows users to transition between activities seamlessly, "increasing the difficulty of guessing which activity it is currently in."

The team only tested their hacks on Android phones, but suspect the exploit might be an issue on other platforms as well, since shared memory is a common feature of pretty much every mobile OS.

One of the researchers noted this attack relies on the false belief that apps generally work in isolation of each other. "The assumption has always been that these apps can’t interfere with each other easily. ... One app can in fact significantly impact another and result in harmful consequences for the user."

The research is being presented Friday at the USENIX Security Symposium, which will hopefully lead to some solutions being developed. Until then, the best advice researchers have for avoiding these attacks is not to download sketchy apps in the first place.

This video contains images from Getty Images.