Android, Windows and iOS Vulnerability Allows 92 Percent Hack Success Rate For Popular Apps Like Gmail

A weakness has been identified that could exist in Android, Windows, and iOS devices that can be used to obtain personal information. Discovered by a team of researchers, the vulnerability revolves around multiple applications running on a shared infrastructure that can be exploited.

According to their research, they were able to test a method, on an Android phone, that was successful between 82 percent and 92 percent of the time for six of the seven apps that were tested. The apps with such high percentages were Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), and (83 percent). The final app tested belonged to Amazon, which had a 48 percent rate of success when the researchers used their method.

The team consists of Zhiyun Qian of the Computer Science and Engineering Department at UC Riverside, associate professor at the University of Michigan Morley Mao, and Mao’s Ph.D student Qi Alfred Chen. The paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” will be presented August 22 at this year’s USENIX Security Symposium in San Diego.

The success of the method is reliant on a user downloading multiple apps to a smartphone where all the apps are running on the same infrastructure. This is the vulnerability the team is taking advantage of, according to Qian who said, “The assumption has always been that these apps can't interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

In order to work, the potential victim has to download a supposedly benign app, like a background wallpaper, for their phone. Once the malicious app is installed, the team was able to exploit a public side channel that could be accessed without any privileges. However, in order to succeed, the attack needs to be done at the exact same moment when the user is logging in and without the user noticing.

While the method was only tested on an Android device, the team feels that their method will work on other operating systems since most of the devices share the same vulnerability.