Researchers have demonstrated a novel method to capture sensitive user data on Android by using the shared memory statistics of a process (demonstration [Video]). As with most Android malware, a user has to install a malicious app first, however one of the malicious apps demonstrated only had the "Internet" permission.
The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate. The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven’t tested the program using the other systems. The researchers started working on the method because they believed there was a security risk with so many apps being created by so many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.
“The assumption has always been that these apps can’t interfere with each other easily,” Qian said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel — the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes to share data.) The researchers monitor changes in shared memory and are able to correlate changes to what they call an “activity transition event,” which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.
There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.
“By design, Android allows apps to be pre-empted or hijacked,” Qian said. “But the thing is you have to do it at the right time so the user doesn’t notice. We do that and that’s what makes our attack unique.”
(Score: 3, Insightful) by Horse With Stripes on Saturday August 23 2014, @10:24PM
They swap user login UIs to trick the user into entering their credentials? Are they mimicking every possible app's login screen? That's going to be quite a trick.
(Score: 2) by meisterister on Saturday August 23 2014, @10:31PM
Why not write a new keyboard that includes keylogging?
(May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
(Score: 2) by kaszz on Sunday August 24 2014, @12:12AM
Just proves that smartphones vendors doesn't take security seriously.