Researchers have found a smart way revealed to perform phishing attacks on several popular Android apps, such as Gmail, Amazon and American CHASE Bank, and then log data and other information from users to steal.
The attack was developed by researchers at the University of California and will be presented at the USENIX Security Symposium in San Diego today, although this video demonstrations are already online. To carry out the attack, a user must first download a malicious app that seems harmless, such as a background for your phone. Through the app, researchers can perform a new “side-channel attack,” which focuses on the shared memory of a process.
The shared memory is a property of the operating system, which processes can share more efficiently. Data Access to this memory requires no rights. The app can then monitor changes in the shared memory and then correlate changes in certain events, such as for example, someone who wants to log into Gmail or his bank app. Thus, researchers can fairly accurately track what the user is in the attacked app doing.
Phishing
At the moment the user, for example Gmail want to log in or want to shop Newegg Checkout shows the malicious app a counterfeit login screen where the user enters his data. This data then the app sends to the attacker. For the attack to succeed taking place at exactly the right time as the user wants to log in or checkout and may have to attack not stand out.
The researchers propose that similar phishing attacks have been demonstrated in the past, but that which is not as sophisticated as the new attack works. In many applications it is indeed not immediately need to log in when the app is started, even though there immediately appeared a login screen in the earlier attacks. In addition, these old phishing attacks require suspicious permissions. The newly developed attack does not suffer from these limitations.
Timing
The timing of the attack, however, is a key component to its success. The researchers were able to pick up such as Gmail (92%), H & amp eventually different success rates in a number of popular apps, R Block (92%), Newegg (86%), WebMD (85%), CHASE Bank (83%), Hotels .com (83%) and Amazon (48%). Amazon was more difficult to attack because the app allows one activity becomes almost any other activity, which makes it difficult to guess which activity the app is located.
According to the researchers, the problems not only Android, but also with other mobile operating systems like iOS and Windows. Users who want to protect themselves from attack, getting researcher and Professor Zhiyun Qian advised to install. No “unreliable apps” In addition, the developers of mobile operating systems are called upon to create a better balance between usability and security and eliminate. Side channel attacks
No comments:
Post a Comment