If we've said it once, we've said it a thousand times: Be careful about the apps you download onto your Android phone. A trio of researchers say they've discovered a new way to use a malicious android app to nab critical information on an Android phone, such as login details, social security numbers, and images of checks for deposit.
Researchers Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan are set to present their findings during the Usenix Security Symposium in San Diego on Friday.
The attack works by having a malicious app monitor actions on a phone and wait for the user to open and start using a target app, such as Gmail, H&R Block, or Chase Bank. The bad app then exploits data in shared memory to basically make an educated guess about what a user is doing on the other app at that exact moment.
The malicious app can then attempt to retrieve whatever data the user is entering into the target app by injecting a fake login screen before the real one appears. This is known as a phishing attack and is a very common way for hackers to steal sensitive data.
But phishing isn't the only attack the researchers used to nab data. In one of several video examples the researchers posted online, a target phone attempts to deposit a check by snapping a picture of it in the Chase Bank app. The malicious app is then able to grab a check image and send it to the attacker's phone.
This bit of trickery again relies on some educated guesswork via shared memory, but doesn't use a phishing attack. When a smartphone takes a picture, you can look at your device screen and preview as a video stream whatever the camera is pointed at. The malicious app is able to grab frames of this video stream while your camera is in preview mode. In the case of Chase Bank, the app is again guessing that you are lining up your camera to take a shot of a check.
The attack method sounds pretty ominous owing to the kind of information it could grab, but it does come with some major caveats.
First, you have to download a malicious app to start monitoring your activity . Then, the attack has to happen at the exact moment you are entering sensitive information or snapping a picture containing sensitive data (like that check photo).
Second, because stealing credentials ultimately relies on a phishing attack, the malicious app has to inject a phony, look-alike login screen without the user noticing. That means the fake screen has to be precisely timed. The fake login screen should also be very exactly designed to match the normal login screen—although some people will trust almost any screen they see on their phone or PC.
Despite its seeming complexity, the researchers say their success rate was quite high testing their attack with 10 volunteers who were asked to interact with the app—the volunteers did not login into the phones with their own information.
The researchers say that during the tests they succeeded at hacking Gmail and H&R Block 92 percent of the time, as well as Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), and Hotels.com (83 percent).
The only app of the seven that showed serious resistance was Amazon's shopping app with attacks successful only 48 percent of the time.
The researchers also claim these attacks are possible on other operating systems such as iOS and Windows as they all use shared memory mechanisms.
Since the attack sounds fairly difficult, we've asked a few security experts to weigh in on how likely it would be for this attack scenario to succeed in the wild. We'll update this post should they respond.
UPDATE (August 23, 2014): Timo Hirvonen, senior researcher at security firm F-Secure, shared his thoughts with us about this new attack. Although the attack sounds difficult to pull off, Hirvonen told us, it wouldn't be—even though some parts of the attack need to be tailored for specific apps.
"I hope malware authors don’t read academic papers since I could see at least some elements being very useful in a practical malware attack," Hirvonen said.
Whether or not you're likely to succumb to an attack such as this it's always a good reminder to be very careful about the apps you load onto your phone—especially if you're sideloading apps from unofficial sources.