Sneak Attack: Android apps can attack each other, steal passwords, credit-card numbers, photos

“Modern operating systems ‘sandbox’ apps so that they can’t affect each other — in theory,” Paul Wagenseil reports for Tom’s Guide. “Yet three researchers have shown that, at least in Android, one app can ‘spy”‘ upon another and then, at just the right moment, interfere with the targeted app’s user display in order to steal passwords, credit-card numbers or even sensitive photos.”

“In this way, the researchers were able to steal login credentials from the Gmail app, a Social Security number from the H&R Block app, a credit-card number from the NewEgg app and a bank-check image from the Chase app,” Wagenseil reports. “The three researchers — Qian and Qi Alfred Chen and Z. Morley Mao of the University of Michigan — plan to present their findings at the USENIX Security Symposium in San Diego tomorrow (Aug. 22), and have already shared their findings in a research paper entitled ‘Peeking into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks.'”

Read more in the full article here.

MacDailyNews Take: Android. Open – as in, bend over and open wide!

[Thanks to MacDailyNews Reader “MotivDev” for the heads up.]

Related articles:
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010


    1. Apple actually screens for direct cross-application communication in applications they approve for the iTunes and Mac App Stores. This fact ticked off a few developers.

      Apple has also been demanding sandboxing as of, sort of Mountain Lion, definitely in Mavericks. That doesn’t mean it’s going to prove to be perfect! But it is part of Mavericks.

      I’m not certain it’s an absolute requirement for non-Mavericks compatible apps. I know Apple has long demanded that developers use Apple APIs for such things and nothing else. We certainly know Java’s Internet sandboxing days are dead and gone, entirely thanks to stupid Oracle. (Oracle, I hate you). That’s not going to change. However, Apple has locked everything Flash on the Internet into a sandbox as of Mavericks.

      There most certainly are legal keystroke logging applications for OS X that can indeed watch all such data everywhere being typed into your computer. I’m not at all aware of the impact of Maverick’s sandboxing on such apps. But I can verify that good old SpellChecker’s Ghostwriter feature still works on Mavericks such that it collects what I type into any application, as long as I give it permission and it is specifically being typed into a text box.

      In any case, any application doing so must somehow have administrator permission. Therefore, forcing users to have Standard permissions while NOT giving them the administrator password will, theoretically, stop such apps from being installed without the administrator approving them.

      IOW: I suspect there will be spotty situations where this can happen, particularly with older software applications. But we’ll see.

    2. Well, the researchers claim that they think it would work the same on OS X and iOS. But they haven’t done it or they’d show that too. It seems to work by guessing what the target apps are doing and then switching from that app to their own app while making it look like the app they are trying to spoof. But that would require an app being able to switch from one app to another app. I don’t think iOS lets an app do that. I hope Apple responds to this. I don’t see why you’d ever let an app bring itself to be the active focused app. That would be really annoying.

  1. The summary is deceptive – sandboxing on Android does prevent apps from actually stealing data from one another.

    It takes advantage of monitoring shared memory, to guess what other apps are doing, then uses multitasking to switch apps right when the user enters sensitive data, so the user is actually using the hijack app without realizing it.

    Would recommend reading the whole article – it’s fascinating hack. It’s not exploiting anything really specific to Android, and could in principle work on any operating system with multitasking.

    1. But they haven’t been able to accomplish the hack with iOS or they would of stated so. Key sentence: Yet three researchers have shown that, at least in Android…”.

      1. Also quoting from the source article:

        While the experiments were carried out on Android phones, the researchers believe iOS and even desktop operating systems such as Mac OS X and Windows would be vulnerable to similar attacks.

        That’s an irresponsible statement IMHO. It certainly is proper to ASK if these attacks could be possible on blahblahblah. But they have ZERO data (presented as of the source article’s release) backing up any actual ‘belief’ regarding anything but Android. IOW: Bad Science At Work. 🙁

        Now let’s see what they revealed in their presentation today…

      2. These researchers were working on Android, but what they discovered has ramifications for all modern operating systems with shared memory and multitasking. At the very least, future updates of iOS of OS X should be made with preventing this type of attack in mind, before someone actually makes this attack work on there.

  2. It’s the same foolishness like Windows. Open to be attacked at every level. Something which Apple is trying to avoid at all costs.
    Apple has the better safer solution, not perfect but way safer then any of the others.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.