Seemingly innocuous apps could be stealing your personal information, including your Social Security Number, passwords, and credit card information. These apps aren’t getting this information directly from you, though. Instead, they are hijacking apps like Gmail and H&R Block, which you already trust with your sensitive information.
Researchers at the University of Michigan and the University of California, Riverside discovered the vulnerability, which affects Android, Windows, and iOS mobile operating systems. This new type of hack, called a user interface state interference attack, consists of a malware app that runs in the background of a user’s phone, unseen and undetected. This means that the app offering 10,000 free background images or unlimited free music that you downloaded could be stealing your data, unless it came from a trusted source.
For six of the seven popular apps tested, this hack was between 82 and 92 percent effective (see below for exact figures). The hack was tested on Android only, but the researchers say that their method should work on other operating systems. This is because the hack exploits a common system called “shared memory” which allows apps to share data with each other.
The best way to stay out of trouble, according the researchers, is to only trust well-known apps. Therefore, users and brand owners alike should be on the lookout for suspicious apps that abuse consumer trust in order to attract downloaders.
Attack success rates:
H&R Block 92%
Chase Bank 83%
Source: International Business Times
Read the original paper here.