Mobile OS weakness allows researchers to hack Gmail with 92 percent success rate
The operating system of your smartphone may not be as secure as you think and could make your email account susceptible to hacking.
Engineers at the University of California Riverside Bourns College of Engineering and the University of Michigan have discovered a flaw in mobile OS' like Android, Windows and iOS, which may enable malicious applications to access personal data. This weakness enabled the researchers to hack several apps like Gmail with a success rate that varied between 82 to 92 percent.
Even though the method deployed by the research team was tested on an Android-powered smartphone, they believe that the technique will be just as effective on iOS and Windows too as all three ecosystems share a similar feature.
So what is this common feature you ask? All applications have the ability to access the shared memory of a mobile device.
"The assumption has always been that apps cannot interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user," explained Zhiyun Qian, an assistant professor at University of California's Riverside Bourns College of Engineering.
So how does the attack work? A user simply needs to download an app which looks unsuspicious on the face of it, but is actually malicious - like a wallpaper background. Once the user installed the app, the researchers were able to take advantage of the flaw i.e. the shared memory data of a process, which can be retrieved sans any privileges.
By exploiting the weakness, the researchers were easily able to hack Gmail (92 percent success), WebMD (85 percent success), H and R Block (92 percent success) and CHASE Bank (83 percent success). Interestingly, the research team found it difficult to infiltrate Amazon (48 percent success rate).
According to Qian, two key factors are imperative to the success of the hacking. Firstly, the attack has to occur at the "right time" i.e. the exact moment when the user is logging into the app or performing an activity like snapping up a picture. The second important factor is the manner in which the attack is done - it has to be discreet. To achieve this, the research team calculated the attack time cautiously.
The research paper "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" is slated to be presented on Friday, August 22, at the 23rd USENIX Security Symposium in San Diego.
Check out the video below showing the hijacking attack on the H&R Block app.