Hack Gmail With 92 Percent Success Rate

A weakness in Android, Windows, and iOS mobile operating systems could be used to obtain personal information.

Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information.

Although it was tested only on an Android phone, the team believes that
the method could be used across all three operating systems because all
three share a similar feature: all apps can access a mobile device’s
shared memory.


In a paper being presented Friday at the Usenix cybersecurity conference, the engineers said they also could steal check images from a Chase app with an 83 percent success rate and hack personal information such as address and Social Security numbers from H&R Block (success rate 92 percent), Newegg (86 percent), WebMD (85 percent), Hotels.com (83 percent) and Amazon (48 percent) apps. 

Zhiyun Qian, an assistant professor at UC Riverside.

The researchers started working on the method because they believed
there was a security risk with so many apps being created by some many
developers. Once a user downloads a bunch of apps to his or her smart
phone they are all running on the same shared infrastructure, or
operating system.

“The assumption has always been that these apps can’t interfere with
each other easily,” Qian said. “We show that assumption is not correct
and one app can in fact significantly impact another and result in
harmful consequences for the user.”

Demonstration

1. Activity hijacking attack steals your password and SSN in H&R Block app: In this video we show an unprivileged app running in the background can track H&R Block app’s running state (we call such state UI state), unnoticeably hijack the foreground Activity and steal user’s H&R block login credentials and social security number(SSN).

2. Camera peeking attack steals your personal check image in Chase app: In this video we show an unprivileged app running in the background can track Chase app’s running state (we call such state UI state), and steal the check photo shot by the user. From the check photo, the attacker can successfully get many highly-sensitive personal information such as home address, check recipient name, bank routing number, account number, and even the user’s signature.

  
3. Activity hijacking attack steals your credit card number and shopping ship address information in NewEgg app: In this video we show an unprivileged app running in the background can track NewEgg app’s running state (we call such state UI state), unnoticeably inject two Activities into foreground and steal user’s credit card number and shopping ship address information.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Become an Expert in Ethical Hacking

This article is mainly addressing the audience who wants to pursue their career in Cybersecurity as a professional that provides ethical hacking services, whether...

5 Cybersecurity Tips to Keep in Mind When Working From Home

  Due to the ongoing global health crisis, more and more people are being forced to work from their homes. In fact, Forbes estimates that about...

The Complete OSINT Tutorial to Find Personal Information About Anyone

This article mainly focuses on how to discover a person's digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its...

How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy...