A weakness found in the iOS, Android and Windows mobile operating system could allow hackers access your phone and obtain your personal data.
A research team in the University of California identified the weakness after they decided to test the assumption that apps cannot interfere with one anther.
It was widely believed that generic apps like the standard wallpaper, game or productivity apps many of us have downloaded could in no way interfere with anything on our mobile device without our explicit authorisation.
As associate professor at UC Riverside Zhiyun Qian notes: “The assumption has always been that these apps can’t interfere with each other easily…We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
The test was carried out by first downloading an app the user believes to be generic and harmless, such as a basic game. The game once downloaded actually contains a malicious code and once installed the researchers were able to access the memory statistics of any process.
While this test was only conducted on Android the research team believe the same weakness applies on all platforms as the both the iOS and Windows platform also share the same feature with Android that allow all apps access a mobiles device’s shared memory.
The hacker would access your information by carefully monitoring the changes in the shared memory and connect various activities to actions such as checking your bank balance, accessing Gmail or Outlook or making online payments. With the addition of some other IT wizardry the team were able to track what a user was doing in real-time between 82% – 92% of the time.
To reach the high levels of accuracy the hacker required two things to occur: 1) the attached had to occur at the exact time the action was taking place (user accesses their bank account online) and 2) the attack had to be invisible without the user having any knowledge of what was happening.
Zhiyun Qian, an assistant professor at UC Riversideinvolved in the project explains: “We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen…It’s seamless because we have this timing.”
You can watch three short vides on how the attacks took place here: https://sites.google.com/site/uistateinferenceattack/demos