If we’ve said it once, we’ve said it a thous times: Be careful about the apps you download onto your Android phone. A trio of researchers say they’ve discovered a new way to use a malicious roid app to nab critical information on an Android phone, such as login details, social security numbers, images of checks for deposit.
Researchers Zhiyun Qian, of the University of California, Riverside, Z. Morley Mao Qi fred Chen from the University of Michigan are set to present their findings during the Usenix Security Symposium in San Diego on Friday.
The attack works by having a malicious app monitor actions on a phone wait for the user to open start using a target app, such as Gmail, H&R Block, or Chase Bank. The bad app then exploits data in shared memory to basically make an educated guess about what a user is doing on the other app at that exact moment.
The malicious app can then attempt to retrieve whatever data the user is entering into the target app by injecting a fake login screen before the real one appears. This is known as a phishing attack is a very common way for hackers to steal sensitive data.
But phishing isn’t the only attack the researchers used to nab data. In one of several video examples the researchers posted online, a target phone attempts to deposit a check by snapping a picture of it in the Chase Bank app. The malicious app is then able to grab a check image send it to the attacker’s phone.
This bit of trickery again relies on some educated guesswork via shared memory, but doesn’t use a phishing attack. en a smartphone takes a picture, you can look at your device screen preview as a video stream whatever the camera is pointed at. The malicious app is able to grab frames of this video stream while your camera is in preview mode. In the case of Chase Bank, the app is again guessing that you are lining up your camera to take a shot of a check.
The attack method sounds pretty ominous owing to the kind of information it could grab, but it does come with some major caveats.
First, you have to download a malicious app to start monitoring your activity . Then, the attack has to happen at the exact moment you are entering sensitive information or snapping a picture containing sensitive data (like that check photo).
Second, because stealing credentials ultimately relies on a phishing attack, the malicious app has to inject a phony, look-alike login screen without the user noticing. That means the fake screen has to be precisely timed. The fake login screen should also be very exactly designed to match the normal login screen—although some people will trust almost any screen they see on their phone or .
Despite its seeming complexity, the researchers say their success rate was quite high testing their attack with 10 volunteers who were asked to interact with the app—the volunteers did not login into the phones with their own information.
The researchers say that during the tests they succeeded at hacking Gmail H&R Block 92 percent of the time, as well as Newegg (86 percent), bMD (85 percent), CHASE Bank (83 percent), Hotels.com (83 percent).
The only app of the seven that showed serious resistance was Amazon’s shopping app with attacks successful only 48 percent of the time.
The researchers also claim these attacks are possible on other operating systems such as iOS ndows as they all use shared memory mechanisms.
Since the attack sounds fairly difficult, we’ve asked a few security experts to weigh in on how likely it would be for this attack scenario to succeed in the wild. ‘ll update this post should they respond.
UATE (August 23, 2014): o Hirvonen, senior researcher at security firm F-Secure, shared his thoughts with us about this new attack. though the attack sounds difficult to pull off, Hirvonen told us, it wouldn’t be—even though some parts of the attack need to be tailored for specific apps.
“I hope malware authors don’t read academic papers since I could see at least some elements being very useful in a practical malware attack,” Hirvonen said.
ether or not you’re likely to succumb to an attack such as this it’s always a good reminder to be very careful about the apps you load onto your phone—especially if you’re sideloading apps from unofficial sources.