US Researchers have found a weakness in Google’s popular Android operating system.Your most trustworthy apps may be at risk. Researchers say they have found a way to hack Gmail apps with a 92 percent success rate.
The vulnerability extends to a number of other apps including H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon, according to their study. In most cases, their technique succeeded 80-90% of the time. Amazon’s app was the most difficult to crack at 48%.
Although the paper only covers these seven Android apps, the researchers said their hacks exploit a vulnerability that apps on other operating systems likely share.
"I certainly think the report is credible," cyber-security analyst Michela Menting said in an email. "If a researcher or a hacker looks hard enough, there will be ways to exploit any number of vectors within an application."
Technical Section(How did they do it?)
The hack begins when a user downloads malicious software disguised as a seemingly harmless app like background wallpaper app. Next, the masquerading app exploits a common feature of operating systems—shared memory —to figure out what users are doing on their smartphones.
When timed properly—say, just as a user is entering a username and password, or snapping a picture of a personal check—a hacker can launch a phishing attack. Users think they’re punching their passwords into an app like Gmail, Amazon or Chase, but they’re actually typing it into a sham-screen generated by the malicious app.“At this point, the information is stolen and the attack succeeds,” the authors said in the study. Two of the researchers hail from University of Michigan and another from University of California at Riverside.
Demo videos show how a hacker could use another phone to monitor the activity on the sensitive apps and grab personal information when entered by the victim.
The hack exploits the same design principle that allows alarm and apps that serve as reminder to pop up on a smartphone. Zhiyun Qian, assistant professor at UC Riverside and one of the study’s authors, said in a statement that “by design, Android allows apps to be preempted or hijacked.”
The hacker would gain access by causing a user to install a seemingly harmless app such as phone wallpaper and expose a newly discovered public side channel that doesn't require privileges. This feature allows processes to share data efficiently and is quite common, since all a phone's downloaded apps interact with one operating system.
"The assumption has always been that these apps can't interfere with each other easily," researcher Zhiyun Qian said in a statement. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
Why Amazon is less vulnerable?
The researchers said they had only a 48 percent success with the Amazon app because it allows transition from one activity to almost any other, increasing the difficulty of guessing what the user is doing and finding the exact moment to steal data.
How to secure your smartphone from it?
The vulnerability extends to a number of other apps including H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon, according to their study. In most cases, their technique succeeded 80-90% of the time. Amazon’s app was the most difficult to crack at 48%.
Although the paper only covers these seven Android apps, the researchers said their hacks exploit a vulnerability that apps on other operating systems likely share.
"I certainly think the report is credible," cyber-security analyst Michela Menting said in an email. "If a researcher or a hacker looks hard enough, there will be ways to exploit any number of vectors within an application."
Technical Section(How did they do it?)
The hack begins when a user downloads malicious software disguised as a seemingly harmless app like background wallpaper app. Next, the masquerading app exploits a common feature of operating systems—shared memory —to figure out what users are doing on their smartphones.
When timed properly—say, just as a user is entering a username and password, or snapping a picture of a personal check—a hacker can launch a phishing attack. Users think they’re punching their passwords into an app like Gmail, Amazon or Chase, but they’re actually typing it into a sham-screen generated by the malicious app.“At this point, the information is stolen and the attack succeeds,” the authors said in the study. Two of the researchers hail from University of Michigan and another from University of California at Riverside.
Demo videos show how a hacker could use another phone to monitor the activity on the sensitive apps and grab personal information when entered by the victim.
The hack exploits the same design principle that allows alarm and apps that serve as reminder to pop up on a smartphone. Zhiyun Qian, assistant professor at UC Riverside and one of the study’s authors, said in a statement that “by design, Android allows apps to be preempted or hijacked.”
The hacker would gain access by causing a user to install a seemingly harmless app such as phone wallpaper and expose a newly discovered public side channel that doesn't require privileges. This feature allows processes to share data efficiently and is quite common, since all a phone's downloaded apps interact with one operating system.
"The assumption has always been that these apps can't interfere with each other easily," researcher Zhiyun Qian said in a statement. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
Why Amazon is less vulnerable?
The researchers said they had only a 48 percent success with the Amazon app because it allows transition from one activity to almost any other, increasing the difficulty of guessing what the user is doing and finding the exact moment to steal data.
How to secure your smartphone from it?
- Users should be cautious and only download apps from trusted sources—big, popular apps are hacker magnets.
- Do a routine check of your smartphone and tablet, especially if you have little ones using the device, to ensure only apps that can be trusted are the only ones installed. Immediately uninstall apps that appear to be from unknown sources or are not necessary.
The researchers suspect their method will work just as well on other mobile OS, such as Apple iOS and Microsoft Windows, although they have yet to attempt the hack on those systems. They were scheduled to present their findings today at the USENIX Security Symposium in San Diego.
Google did not immediately respond to a request for comment.
I hope you enjoyed it.... Give us feedback that next we can serve more better.....
0 comments:
Post a Comment
Don't be silent user feel free to comment here...