Hack Gmail With 92 Percent Success Rate

A weakness in Android, Windows, and iOS mobile operating systems could be used to obtain personal information.

Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.

Although it was tested only on an Android phone, the team believes that
the method could be used across all three operating systems because all
three share a similar feature: all apps can access a mobile device’s
shared memory.


In a paper being presented Friday at the Usenix cybersecurity conference, the engineers said they also could steal check images from a Chase app with an 83 percent success rate and hack personal information such as address and Social Security numbers from H&R Block (success rate 92 percent), Newegg (86 percent), WebMD (85 percent), Hotels.com (83 percent) and Amazon (48 percent) apps. 

Zhiyun Qian, an assistant professor at UC Riverside.

The researchers started working on the method because they believed
there was a security risk with so many apps being created by some many
developers. Once a user downloads a bunch of apps to his or her smart
phone they are all running on the same shared infrastructure, or
operating system.

“The assumption has always been that these apps can’t interfere with
each other easily,” Qian said. “We show that assumption is not correct
and one app can in fact significantly impact another and result in
harmful consequences for the user.”

Demonstration

1. Activity hijacking attack steals your password and SSN in H&R Block app: In this video we show an unprivileged app running in the background can track H&R Block app’s running state (we call such state UI state), unnoticeably hijack the foreground Activity and steal user’s H&R block login credentials and social security number(SSN).

2. Camera peeking attack steals your personal check image in Chase app: In this video we show an unprivileged app running in the background can track Chase app’s running state (we call such state UI state), and steal the check photo shot by the user. From the check photo, the attacker can successfully get many highly-sensitive personal information such as home address, check recipient name, bank routing number, account number, and even the user’s signature.

  
3. Activity hijacking attack steals your credit card number and shopping ship address information in NewEgg app: In this video we show an unprivileged app running in the background can track NewEgg app’s running state (we call such state UI state), unnoticeably inject two Activities into foreground and steal user’s credit card number and shopping ship address information.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Exploit Heartbleed using Metasploit in Kali Linux

Heartbleed vulnerability (registered as CVE-2014-0160) is a security bug present in the older version of OpenSSL cryptographic library. OpenSSL is a cryptographic toolkit used...

How to Install Parrot Security OS on VirtualBox in 2020

Parrot Security OS is a free GNU/LINUX distribution, released on 10th April 2013. It is a mixture of Kali Linux and Frozenbox OS, aims to...

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...