A team of researchers have discovered a flaw believed to exist in Android, Windows and iOS mobile operating systems that could be used to gain private data from unsuspecting users. They found that it was successful between 82 percent and 92 percent of the time on six of the seven popular Android apps they tested.
This team of researchers, which included an assistant professor at the University of California, Riverside Bourns College of Engineering, identified that among the Android apps they easily hacked were Gmail, CHASE Bank and H&R Block. The researchers started testing these apps because they believed that there may be some security risk with so many apps being created.
Researchers could successfully hack into applications from H&R Block, this app when hacked could allow attackers to steal users’ login details and the social security numbers. The Chase app (with 83 percent success rate) could allow attackers to gain users’ highly sensitive information such as address, name, bank routing number, account number and signature. NewEgg app could be successfully hacked (with 86 percent success rate) and hackers could get users’ credit card number and shipping address. However, Amazon app, with a 48 percent success rate, was the only app researchers found was difficult to hack.
“The assumption has always been that these apps can’t interfere with each other easily,” Qian, assistant professor at UC Riverside said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
He added, “By design, Android allows apps to be preempted or hijacked,” “But the thing is you have to do it at the right time so the user doesn’t notice.”
For the attack to take place, the user is enticed to download a malicious app, such as one for background wallpaper on a phone. Once the user downloads the app on his/her Smartphone, the app starts running on the same shared infrastructure, or operating system, which can be accessed without any privileges as well as without user’s knowledge. The hacked information is sent in plain text to the attackers.
However, there are two ways to perform such an attack. Firstly, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Secondly, the attack needs to be done silently, without the knowledge of the user, by carefully calculating the attack timing, Qian said.
The researchers conducted this test on Android platform but they said the hack will work similarly on iOS and Windows as well.
For a Smartphone user Qian said, “Don’t install untrusted apps.” Moreover, for complete security of your Android Smartphone, install eScan Mobile Security for Android from here: http://www.escanav.com/english/content/products/downloadlink/downloadproduct.asp?pcode=ES-AND-MS