Mobile flaw means 92% of Gmail accounts are hackable

Researchers with the University of California's College of Engineering and the University of Michigan have identified a weakness they believe exists across Android, Windows and iOS operating systems that could allow malicious apps to obtain personal information.

Mobile flaw means 92% of Gmail accounts are hackable
Mobile flaw means 92% of Gmail accounts are hackable

The most high profile aspect of this weakness means that 92 percent of Gmail accounts, and around 82 per cent of the several apps they tested, can be cracked using the memory interrogation technique.

The problem, say the researchers, is down to the way that apps can access a mobile device's shared memory. So far, however, they have only proven their methodology - which was revealed using an Android device at last Friday's USENIX symposium in San Diego. They claim, however, that it will work on other smartphone platforms, including Apple's iOS.

The researcher's paper is entitled `Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks' and was authored by Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside, Z. Morley Mao, an associate professor at the University of Michigan, and Qi Alfred Chen, a PhD student working with Mao.

The problem stems from the fact that there are a wide variety of apps created by many different developers. Once a user downloads several apps to their smartphone, however, they are all effectively running on the same shared infrastructure, says the report.

“The assumption has always been that these apps can't interfere with each other easily,” said Qian. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The attack works by getting a user to download an app - such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly-discovered public side channel - the shared memory statistics of a process, which can be accessed without any privileges.

The researchers were able to monitor changes in shared memory and correlated any changes to what they call an `activity transition event,' which includes steps such as a user logging into Gmail or a camera process, such as taking a picture of a cheque so that it can be deposited electronically.

There are two stages to an attack, the researchers say. The first needs to take place at the exact moment the user is logging into the app or taking the picture. The second stage, they add, carefully calculating the attack timing.

“By design, Android allows apps to be pre-empted or hijacked,” said Qian. “But the thing is you have to do it at the right time so the user doesn't notice. We do that and that's what makes our attack unique.”

The researchers have created three short videos (available from here) to illustrate how the attacks work.

Commenting on the analysis, Steve Smith, managing director of security consultancy Pentura, said that the problem stems from social engineering attacks - or downloads of infected applications - rather than a direct flaw in the Gmail application.

"With both businesses and individuals increasingly using an ever widening range of mobile applications they need to consider the access they may be inadvertently offering to third parties by using such services," he said.

"With applications often requiring a variety of access permissions people need to be aware of what other functionality and systems running on their device that they are making accessible to external parties and hackers," he added.

Smith went onto say that individuals and businesses alike should carefully consider and research what applications they are downloading to their mobile devices to ensure they don't leave themselves open to attacks from hackers.

"Simple steps like only downloading apps from trusted stores and developers can massively reduce the risks of cyber-attacks that people are exposed to," he explained.