Mischief on the line

Please hold . . .

A weakness believed to exist in Android, Windows, and iOS operating systems could be used to obtain personal information from unsuspecting users, research at the University of Michigan has shown. The team demonstrated the hack in an Android phone.

The method was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Gmail, CHASE Bank, and H&R Block were among those easily compromised.

The hack is particularly dangerous because it allows attackers to time the moment they present the user with a fake screen to when the user is expecting to enter sensitive data.

“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” says Qi Alfred Chen, a doctoral student in electrical engineering and computer sciences at U-M. “It’s seamless because we have this timing.”

Chen, who works under Zhouqing Morley Mao, an associate professor of electrical engineering and computer sciences at U-M, presented the research in August at the 23rd USENIX Security Symposium in San Diego, Calif.

Interfering apps

Chen, Mao, and co-author Zhiyun Qian, an assistant professor at the University of California, Riverside, believe their method will work on other operating systems in which apps can access the phone’s shared memory freely. This feature allows processes to share data efficiently, but it also allows malware to track user behavior. Even if that channel was blocked, Chen believes that other connections may be exploited to achieve the same end.

“The assumption has always been that these apps can’t interfere with each other easily,” says Qian, a recent doctoral graduate from Mao’s group. “We show that assumption is not correct, and one app can in fact significantly impact another and result in harmful consequences for the user.”

The attack starts when a user downloads a seemingly benign app — controlling the phone’s wallpaper, for instance. When that app is running in the background, attackers can access the shared memory without needing any special privileges.

The researchers monitored changes in the shared memory and correlated the changes to what they call “activity transition events.” These included logging into a service or photographing a check so that it could be deposited online. Augmented with a few other side channels, the team could fairly accurately track user activity in real time.

Chen suggests that check images are a particular risk. “A camera-peeking attack can steal your account number, home address, and even your signature,” he says.

The researchers created three short videos that show how the attacks can steal login and social security information from H&R Block, check images from CHASE Bank, and credit card details from Newegg.

[Please note: The video does not include audio. See more clips that demonstrate other “sneak attacks.”]

“Don’t install untrusted apps”

Of the seven apps, Amazon gave the team the most trouble, with a 48 percent attack success rate. This is an accident of the app’s flexibility – it allows one activity to transition to almost any other activity, increasing the difficulty of guessing what the user will do next.

Asked what a smart phone user can do about this situation, Qian says, “Don’t install untrusted apps.”

Chen added that users should also be wary of the information access requested by apps on installation. It is dangerous to allow access to the user interface state, which is the channel that the team used to time their attacks.

On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, Qian says. For example, side channels need to be eliminated or more explicitly regulated.

(This story was prepared in collaboration with Sean Nealon at the University of California, Riverside. The paper is titled, Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.”)

(Top image credit: University of California, Riverside.)

Comments

  1. Jim Hanson - BSE 67, MSE 68

    no sound in the video

    Reply

    • Deborah Holdship

      Sorry, Jim: I should have made it clear that the video does not feature sound. I’ve since made a note in the story.

      Reply

  2. blobs berg - 2

    Can’t wait for the click bait media to pick up on this and blow it out of proportion. Interesting article, nonetheless.

    Reply

  3. Mike Swartz - 1981

    This risk is exacerbated by the fact that the current crop of apps habitually require every permission under the sun and users don’t pay enough attention to that. We need to reject apps that demand more permissions than necessary to fulfill the app’s function. For example, why does a flashlight app need access to my contact list?
    No matter how much I desire a particular app, if it requires a permission that I don’t feel is justified, I don’t install it. I send the author a message stating that I will not install the app until either the permission requirement is dropped or justification is provided as to why it is needed. If we all did this, app developers would have to clean up their act.

    Reply

Leave a comment: