Researchers have found a way to hack into Gmail accounts at a success rate of 92 percent through a vulnerability in smartphone operating systems.
The security flaw, which so far has only been tested on Android devices. However, researchers claim that the vulnerability can be exploited in other operating systems like iOS and Windows Phone.
Researchers from the University of Michigan and the University of California Riverside Bourns College of Engineering claim that they were able to gain unauthorized access to Gmail and other apps through the use of malware that pretends to be a downloaded app. The attack works through a malicious app like a background wallpaper for a phone. Once the malware is installed, attackers can exploit a public side channel in smartphone operating systems, which can be accessed without any privilege.
The study, titled "Peeking Into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," will be presented today at the USENIX Security Symposium in San Diego, California. In the paper, the team details how the team was able to hack into other apps.
The researchers said they were able to lift images of checks from the app for Chase bank. The engineers had a similarly high success rate with the hack, which came to 83 percent. The team also gained access to the information in the apps for Amazon, Newegg, H&R Block, Hotels.com and WebMD. The security hole exploited through the apps is more worrying, since it can be used to steal sensitive information like Social Security Numbers. However, the effectiveness of the technique with the five apps varied. H&R Block had the highest success rate at 92 percent, followed by Newegg at 86 percent, WebMD at 85 percent, Hotels.com at 83 percent and Amazon at 48 percent.
"The assumption has always been that these apps can't interfere with each other easily," Zhiyun Qian, an assistant professor at UC Riverside, said in a statement. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
To prevent an attack, Qian advises users to keep away from "untrusted apps." He also urged OS developers to eliminate the side channel altogether in future releases.