Sneak Attack: Android Apps Can Ambush Each Other
Modern operating systems "sandbox" apps so that they can't affect each other — in theory. Yet three researchers have shown that, at least in Android, one app can "spy" upon another and then, at just the right moment, interfere with the targeted app's user display in order to steal passwords, credit-card numbers or even sensitive photos.
In this way, the researchers were able to steal login credentials from the Gmail app, a Social Security number from the H&R Block app, a credit-card number from the NewEgg app and a bank-check image from the Chase app. Only the Amazon app proved resistant, though not immune.
While the experiments were carried out on Android phones, the researchers believe iOS and even desktop operating systems such as Mac OS X and Windows would be vulnerable to similar attacks.
"The assumption has always been that these apps can't interfere with each other easily," researcher Zhiyun Qian of NEC Laboratories America told Phys.org. "One app can in fact significantly impact another and result in harmful consequences for the user."
The three researchers — Qian and Qi Alfred Chen and Z. Morley Mao of the University of Michigan — plan to present their findings at the USENIX Security Symposium in San Diego tomorrow (Aug. 22), and have already shared their findings in a research paper entitled "Peeking into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks."
To prevent infection, don't share memory
The problem arises because, due to limited resources, running applications must share some memory with other running applications so that they can all operate efficiently. Truly sensitive data is compartmentalized, but mundane tasks are often carried out in shared memory — and there's no task more mundane than running the nuts and bolts of the device's graphical user interface (GUI).
However, each change an app makes to the GUI requires a specific amount of memory, an amount that often directly and instantly affects the total amount of shared memory used on a given device. As the app's GUI changes, the shared-memory allocation rises and falls — in a way that can let other running apps know exactly what the target app is doing and thus carry out an indirect, or "side-channel," attack.
By carefully correlating GUI changes with memory-allocation changes, the three researchers were able to determine, just by monitoring shared memory, that a given app was bringing up a login screen, taking a photograph or transmitting credit-card information.
Chen, Mao and Qian then designed a malicious app that permanently ran in the background of the targeted device, as would a wallpaper app. It had no special permissions other than full network access -- but that was enough to transmit information to the attacker's own phone.
The malicious app lies in wait, monitoring the shared memory for signs that the target app is about to begin a sensitive process. At exactly the right moment, the malicious app interferes with the target app and hijacks the user experience to its own ends.
To steal typed information, the malicious app "seizes focus" and displays a phony input screen designed to look exactly like the corresponding real input screen. After the user types in his login credentials, credit-card number or Social Security number, the malicious app displays a phony error notification and returns the user to the real app's input screen.
To steal an image, the malicious app exploits the phone's preview function, grabbing each frame of the video image displayed to the user before a photo is even taken.
Let's go to the videotape
In a series of videos the researchers posted to YouTube, two Samsung Galaxy S3 phones running Android 4.1 Jelly Bean are shown side by side.
As the user types information into the H&R Block and NewEgg apps on one phone, the login credentials and Social Security and credit-card numbers appear on the other. As the user of one snaps a photo of a bank check using the Chase app, the image appears on the other phone, displaying the user's name, address, bank-account number and signature.
Among the seven the researchers tested — Amazon, Chase, Gmail, H&R Block, Hotels.com, NewEgg and WebMD — only Amazon was resistant to their side-channel attack. The Amazon app's interface was so complex that the researchers had a hard time determining what it was doing at any given time.
That resistance offers clues on how to mitigate further attacks, the trio say. Memory demands for specific processes could be rounded up to preset values, confusing an attacker about which process was taking place. Applications running in the background could also be prevented from seizing focus from other apps.
However, Chen, Mao and Qian explained, the problem underlies most modern operating systems, and may require a switch to a different way of managing graphical user interfaces.
"We expect the technique to be generalizable to all GUI systems with the same window manager design as that in Android, such as the GUI systems in Mac OS X, iOS, Windows, etc.," the three wrote in their research paper.