While Android is usually the mobile platform of choice for hackers, new research that’s about to be presented at the USENIX Security Symposium in San Diego shows that it’s actually possible to use a newly discovered trick to steal data from an unsuspecting smartphone users’ apps, whether they’re running Android, iOS or Windows Phone, Phys.org reports.
Researchers have discovered a clever way of spying on a targeted device in real-time and stealing information that takes advantage of the way apps work on a smartphone. Even though the researchers only tested their findings on Android, they believe they can exploit it in a similar manner iOS and Windows Phone.
“The assumption has always been that these apps can’t interfere with each other easily,” Computer Science and Engineering Department at UC Riverside researcher Zhiyun Qian said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
The researchers used the method to hack the following apps: Gmail (92% success rate), H&R Block (92% success rate), Newegg (86% success rate), WebMD (85% success rate), CHASE Bank (83% success rate), Hotels.com (83% success rate) and Amazon (48% success rate).
However, while the procedure can help them steal data from apps, certain conditions have to be met. For starters, a malware app has to be installed on the device, but nothing as complex as described in some reports. Instead, a wallpaper app may be enough to get the job done.
“Once that app is installed, the researchers are able to exploit a newly discovered public side channel—the shared memory statistics of a process, which can be accessed without any privileges,” the publication writes, explaining that Shared memory is a “common operating system feature to efficiently allow processes share data.”
Changes in shared memory can be monitored, and the researchers can correlate them to what the user is doing to track his or her actions in real-time and capture the information at the right moment.
In order to work, the attackers need to monitor the device and perform the attack exactly when the user does the desired action, whether it’s logging into an online banking app or shopping, as the malware program won’t be able to simply keep a log of what the user is doing.
Demo videos showing how this hack can be used to retrieve data in real-time from a target device, including login credentials, credit card details and even pictures are available at the source link.