Saturday, 23 August 2014

Gmail Smartphone App Hacked By Researchers

US researchers say they have been able to hack into Gmail accounts
with a 92% success rate by exploiting a weakness in smartphone memory.

The researchers were able to gain access to a number of apps,
including Gmail, by disguising malicious software as another
downloaded app.

Gmail was among the easiest to access from the popular apps tested.

The hack was tested on an Android phone, but the researchers believe
it could work on other operating systems.

A Google spokeswoman said the technology giant welcomed the research.
"Third-party research is one of the ways Android is made stronger and
more secure," she said.

The research is being presented later at a cybersecurity conference in
San Diego by academics from the universities of Michigan and
California.

Other apps hacked included H&R Block, Newegg, WebMD, Chase Bank,
Hotels.com and Amazon.

The Amazon app was the hardest to access, with a 48 per cent success rate.

The hack involves accessing the shared memory of a user's smartphone
using malicious software disguised as an apparently harmless app, such
as wallpaper.

This shared memory is used by all apps, and by analysing its use the
researchers were able to tell when a user was logging into apps such
as Gmail, giving them the opportunity to steal login details and
passwords.

"The assumption has always been that these apps can't interfere with
each other easily," said Zhiyun Qian, an assistant professor at the
University of California and one of the researchers involved in the
study.

"We show that assumption is not correct, and one app can in fact
significantly impact another and result in harmful consequences for
the user."

In another example the researchers were able to take advantage of a
feature of the Chase Bank app which allows customers to pay in cheques
by taking pictures of them with their device's camera.

The researchers were able to access the camera to steal the pictures
as they were being taken, giving them access to personal information
including signatures and bank details.

The tests were carried out on Android phones, but the researchers
believe the attacks could be successful on other operating systems,
including Windows and the iOS system developed by Apple.

No comments:

Post a Comment