Gmail app hack works 92 percent of the time

Computer scientists have discovered a method of hacking smartphone apps across Android, iOS and

Windows devices that is effective up to 92 percent of the time on six of seven popular apps, including Gmail.

The method, reported in a paper to be presented at Friday's USENIX Security Symposium in San Diego, involves exploiting GUI state changes common in every major smartphone operating system. Testing their method on Android, an innocuous, unsigned app -- such as a wallpaper changer -- carrying malicious code is first installed on the user's phone.

The code monitors a newly exposed public side channel, which details the shared memory statistics of other processes. By using changes in these statistics, the researchers from University of California Riverside were able to determine specific "activity transition events" like a user logging into Gmail, or taking a picture of a cheque to deposit through the CHASE banking app.

Camera Peeking Attack on Chase AppQi Alfred Chen

Once they knew a target phone was entering one of these activity windows, the researchers then made attack timings to allow them to inconspicuously enter the app at the exact time it is vulnerable and extract pertinent data. In the case of the CHASE app, they were able to take control of the camera at the exact time a photo was taken for the banking app and force it to take a second picture of the cheque in order to send it to themselves.

Among the apps the hack was successfully used on were Gmail (92 percent success), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent) and Hotels.com (83 percent). The team also tried the method on Amazon's app but were only able to achieve a 48 percent success rate. They explained that this was due to the way Amazon's UI transitions function, in that at any point the user can enter any other UI state, making it very difficult to predict where they are in the app from the memory statistics.

The team, led by assistant professor of Computer Science and Engineering Zhiyun Qian, hopes that by presenting their findings, these side channels will become more tightly regulated or closed off. His advice until then? "Don't install untrusted apps."

Source: http://www.wired.co.uk