Hacking Gmail with 92 percent success

Aug 21, 2014 by Sean Nealon
A team of engineers have developed a method that allows them to successfully hack into apps up to 92 percent of the time.

(Phys.org) —A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

The paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks," will be presented Friday, Aug. 22 at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven't tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

"The assumption has always been that these apps can't interfere with each other easily," Qian said. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel—the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)

The researchers monitor changes in shared memory and are able to correlate changes to what they call an "activity transition event," which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

"By design, Android allows apps to be preempted or hijacked," Qian said. "But the thing is you have to do it at the right time so the user doesn't notice. We do that and that's what makes our attack unique."

The researchers created three short videos that show how the work. They can be viewed below:

This video is not supported by your browser at this time.
Activity hijacking attack steals your password and SSN in H&R Block app: In this video we show an unprivileged app running in the background can track H&R Block app's running state (we call such state UI state), unnoticeably hijack the foreground Activity and steal user's H&R block login credentials and social security number(SSN).

This video is not supported by your browser at this time.
Camera peeking attack steals your personal check image in Chase app: In this video we show an unprivileged app running in the background can track Chase app's running state (we call such state UI state), and steal the check photo shot by the user. From the check photo, the attacker can successfully get many highly-sensitive personal information such as home address, check recipient name, bank routing number, account number, and even the user’s signature.

This video is not supported by your browser at this time.
Activity hijacking attack steals your credit card number and shopping ship address information in NewEgg app: In this video we show an unprivileged app running in the background can track NewEgg app's running state (we call such state UI state), unnoticeably inject two Activities into foreground and steal user's credit card number and shopping ship address information.

Here is a list of the seven apps the researchers attempted to attack and their success rates: Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), Hotels.com (83 percent) and Amazon (48 percent).

Amazon was more difficult to attack because its app allows one activity to transition to almost any other activity, increasing the difficulty of guessing which activity it is currently in.

Asked what a smart phone user can do about this situation, Qian said, "Don't install untrusted apps." On the operating system design, a more careful tradeoff between security and functionality needs to be made in the future, he said. For example, side channels need to be eliminated or more explicitly regulated.

Explore further: New framework would facilitate use of new Android security modules

More information: The paper is available online: www.cs.ucr.edu/~zhiyunq/pub/se… tivity_inference.pdf

add to favorites email to friend print save as pdf

Related Stories

Malware worms its way into more apps, study finds

Jun 24, 2014

Malicious software is increasingly making its way into mobile phones through "cloned" versions of popular apps, and software weaknesses in legitimate ones, security researchers said Tuesday.

Recommended for you

Brain inspired data engineering

11 hours ago

What if next-generation ICT systems could be based on the brain's structure and its cognitive and adaptive processes? A groundbreaking paradigm of brain-inspired intelligent ICT architectures is being born.

Forging a photo is easy, but how do you spot a fake?

Nov 21, 2014

Faking photographs is not a new phenomenon. The Cottingley Fairies seemed convincing to some in 1917, just as the images recently broadcast on Russian television, purporting to be satellite images showin ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

rp142
4 / 5 (1) Aug 21, 2014
No platform or OS is absolutely secure. It is fairly standard for applications to be able to look over the shoulder of other applications which is why care needs to be taken when deciding to install new software. The only sensible point that I can see in this type of story is that we should all realise the mobile platforms are not immune to the attacks that desktop platform (like Windows) have long been victims of.

From the article; "The attack works by getting a user to download a seemingly benign, but actually malicious, app ..."

The very first step requires the end user to install a virus (malicious software)... Don't install the virus and you're safe. Not exactly a new way to attack a platform - windows has supported this approach for many years.

The big problem with Android apps is Google's move to hide the permissions required for apps from the users so they can no longer make an informed decision and risk assessment.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.