A team of researchers can hack the Gmail smartphone app on Android by disguising malicious software as another app.
A number of apps were tested, with Gmail being one of the easiest to hack at a success rate of 92 percent.
While the hack was only tested on Android devices, the researchers believe the same type of hack could happen on other operating systems, including Windows Phone and iOS. This is because all three operating systems allow apps to have access to a smartphone's shared memory.
"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at University of California, Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
In order to perform the hack, researchers first downloaded something that appeared benign, such as a wallpaper. They then used that app as a disguise cloak for malicious software. The researchers then were able to use app to access the devices' shared memory statistics, after which they could monitor changes in the shared memory and correlate changes to particular apps. Eventually, the researchers were able to track exactly a user was doing.
A number of other mobile Android apps were hacked, including H&R Block, Amazon, Newegg, WebMD and Chase Bank. According to the researchers, the Amazon app was the hardest to hack, with a 48 percent success rate.
In the case of the Chase Bank app, which allows users to pay in checks by taking pictures of them, the researchers effectively were able to steal photos being taken, which gave them access to information such as signatures and bank details.
While the hack did have a rather high success rate, the timing of it was an extremely important factor. "By design, Android allows apps to be preempted or hijacked," said Qian. "But the thing is you have to do it at the right time so the user doesn't notice. We do that and that's what makes our attack unique".
A spokesperson for Google says the company welcomes the research. "Third-party research is one of the ways Android is made stronger and more secure," she said.
Despite this, other companies may not be as happy about the hacking research. A number of operating systems are likely to be vulnerable, according to the researchers.
"We expect the technique to be generalizable to all GUI systems with the same window manager design as that in Android, such as the GUI systems in Mac OS X, iOS, Windows, etc.," the team said in their paper.