Sign in with
Sign up | Sign in

Sneak Attack: Android Apps Can Ambush Each Other

By - Source: Tom's Guide US | B 7 comments

Credit: Specnaz/ShutterstockCredit: Specnaz/Shutterstock

Modern operating systems "sandbox" apps so that they can't affect each other — in theory. Yet three researchers have shown that, at least in Android, one app can "spy" upon another and then, at just the right moment, interfere with the targeted app's user display in order to steal passwords, credit-card numbers or even sensitive photos.

In this way, the researchers were able to steal login credentials from the Gmail app, a Social Security number from the H&R Block app, a credit-card number from the NewEgg app and a bank-check image from the Chase app. Only the Amazon app proved resistant, though not immune.

MORE: Best Android Anti-Virus Software

While the experiments were carried out on Android phones, the researchers believe iOS and even desktop operating systems such as Mac OS X and Windows would be vulnerable to similar attacks.

"The assumption has always been that these apps can't interfere with each other easily," researcher Zhiyun Qian of NEC Laboratories America told Phys.org. "One app can in fact significantly impact another and result in harmful consequences for the user."

The three researchers — Qian and Qi Alfred Chen and Z. Morley Mao of the University of Michigan — plan to present their findings at the USENIX Security Symposium in San Diego tomorrow (Aug. 22), and have already shared their findings in a research paper entitled "Peeking into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks."

To prevent infection, don't share memory

The problem arises because, due to limited resources, running applications must share some memory with other running applications so that they can all operate efficiently. Truly sensitive data is compartmentalized, but mundane tasks are often carried out in shared memory — and there's no task more mundane than running the nuts and bolts of the device's graphical user interface (GUI).

However, each change an app makes to the GUI requires a specific amount of memory, an amount that often directly and instantly affects the total amount of shared memory used on a given device. As the app's GUI changes, the shared-memory allocation rises and falls — in a way that can let other running apps know exactly what the target app is doing and thus carry out an indirect, or "side-channel," attack.

By carefully correlating GUI changes with memory-allocation changes, the three researchers were able to determine, just by monitoring shared memory, that a given app was bringing up a login screen, taking a photograph or transmitting credit-card information.

Chen, Mao and Qian then designed a malicious app that permanently ran in the background of the targeted device, as would a wallpaper app. It had no special permissions other than full network access -- but that was enough to transmit information to the attacker's own phone.

The malicious app lies in wait, monitoring the shared memory for signs that the target app is about to begin a sensitive process. At exactly the right moment, the malicious app interferes with the target app and hijacks the user experience to its own ends.

To steal typed information, the malicious app "seizes focus" and displays a phony input screen designed to look exactly like the corresponding real input screen. After the user types in his login credentials, credit-card number or Social Security number, the malicious app displays a phony error notification and returns the user to the real app's input screen.

To steal an image, the malicious app exploits the phone's preview function, grabbing each frame of the video image displayed to the user before a photo is even taken.

Let's go to the videotape

In a series of videos the researchers posted to YouTube, two Samsung Galaxy S3 phones running Android 4.1 Jelly Bean are shown side by side.

As the user types information into the H&R Block and NewEgg apps on one phone, the login credentials and Social Security and credit-card numbers appear on the other. As the user of one snaps a photo of a bank check using the Chase app, the image appears on the other phone, displaying the user's name, address, bank-account number and signature.

Attack upon H and R Block app

Attack upon Chase app

Attack upon NewEgg app

Among the seven the researchers tested — Amazon, Chase, Gmail, H&R Block, Hotels.com, NewEgg and WebMD — only Amazon was resistant to their side-channel attack. The Amazon app's interface was so complex that the researchers had a hard time determining what it was doing at any given time.

That resistance offers clues on how to mitigate further attacks, the trio say. Memory demands for specific processes could be rounded up to preset values, confusing an attacker about which process was taking place. Applications running in the background could also be prevented from seizing focus from other apps.

However, Chen, Mao and Qian explained, the problem underlies most modern operating systems, and may require a switch to a different way of managing graphical user interfaces.

"We expect the technique to be generalizable to all GUI systems with the same window manager design as that in Android, such as the GUI systems in Mac OS X, iOS, Windows, etc.," the three wrote in their research paper.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Add a comment
Ask a Category Expert
React To This Article

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

  • 0 Hide
    stridervm , August 21, 2014 5:07 PM
    So it is something like a Pro Action Replay/Game Genie style of "hacking" ?
  • -4 Hide
    nguyenm , August 22, 2014 4:33 AM
    Solution? Move to Blackberry or Windows Phone 8.1. Hackers understand market share potential too! So those 2 mentioned OS above won't be looked at... like at all! Personally i use a Lumia 920 w/ WP 8.1 and never had a security issue!
  • 2 Hide
    xenol , August 22, 2014 7:10 AM
    Quote:
    Solution? Move to Blackberry or Windows Phone 8.1. Hackers understand market share potential too! So those 2 mentioned OS above won't be looked at... like at all! Personally i use a Lumia 920 w/ WP 8.1 and never had a security issue!

    Security through obscurity (or whatever the appropriate term) just makes it worse. Mac OS X is actually less secure than Windows as Black Hat Pwn2Own contests historically have shown.
  • Add your comment Display all 7 comments.
  • 0 Hide
    jhansonxi , August 22, 2014 8:44 AM
    Qubes is probably immune: https://qubes-os.org
    There was an artilce about it on Tom's a few years ago.
  • 0 Hide
    killerclick , August 22, 2014 10:01 AM
    This wouldn't be happening if we had the death penalty for hackers.

    Quote:
    Security through obscurity (or whatever the appropriate term) just makes it worse.


    That would be security through minority or something like that.
    Besides, for the end user it doesn't make much difference. Using OS X (or WP or whichever niche platform) will keep users safer, regardless of the vulnerabilities present.
  • 0 Hide
    videobear , August 22, 2014 2:10 PM
    Quote:
    Quote:
    Solution? Move to Blackberry or Windows Phone 8.1. Hackers understand market share potential too! So those 2 mentioned OS above won't be looked at... like at all! Personally i use a Lumia 920 w/ WP 8.1 and never had a security issue!


    Yeah, right. See the next article down, "Windows Store Infested with Fake Apps."
  • 0 Hide
    pizzapeter , August 23, 2014 3:16 PM
    Quote:
    Solution? Move to Blackberry or Windows Phone 8.1. Hackers understand market share potential too! So those 2 mentioned OS above won't be looked at... like at all! Personally i use a Lumia 920 w/ WP 8.1 and never had a security issue!


    That's not really a solution. Just because something has a secruity issue it doesn't mean you should instantly be jumping ship. Those devices have had/can have their fair share of problems too.
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter