Researchers have developed a proof-of-concept malware running on an Android OS that can silently syphon sensitive data from mobile apps on Android, iOS and Windows Phone with up to a 92% success rate.The malware which exploits “a newly discovered public side channel” which allows the access to the shared memory statistics of an app’s process, which was discovered by researchers from the University of California Riverside.
The team believed they could find a fault in an app because so many are produced by so many different developers. Once a user downloads a number of apps to his or her smartphone they are all running on the same shared platform, or operating system.
Therefore users leave themselves open to attacks as an Android phone allows itself to be hijacked or pre-empted.
Zhiyun Qian, one of the authors of the paper and a member of the University of California Computer Science and Engineering Department said "The assumption has always been that these apps can't interfere with each other easily, we show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
Phishing isn't the only attack the researchers used to nab data. A target phone attempts to deposit a check by snapping a picture of it in the Chase Bank app. The malicious app is then able to grab a check image and send it to the attacker's phone.
This bit of trickery again relies on some educated guesswork via shared memory, but doesn't use a phishing attack. When a smartphone takes a picture, you can look at your device screen and preview as a video stream whatever the camera is pointed at.
The malicious app is able to grab frames of this video stream while your camera is in preview mode. In the case of Chase Bank, the app is again guessing that you are lining up your camera to take a shot of a check.
The researchers also claim these attacks are possible on other operating systems such as iOS and Windows as they all use shared memory mechanisms.
