.png)
Hacking With the vulnerability In Your Android.
Researchers at the University of California, Riverside and the University of Michiganannounced recently that they have developed a hack that works 92% of the time on Google’s Gmail system on Android, as well as with the H&R Block app.
In addition, this hack worked 86% of the time on Newegg, and 83% of the time at Chase Bank and Hotels.com. That’s a highly reliable hack as far as hacks go. Probably most troubling is its reliability against the Chase Bank app. The key to the hack is to get the user to download a malicious app. As you know, apps on the Android system are not vetted like the apps on Apple’s iOS, and as such, some malicious apps do appear in the Google Play Store.
Second, the malicious app needs to detect when the user is opening the victim app. This is not that hard, as each app has its own signature (much like how AV software works) that can be detected by the malicious app and then launch the appropriate login screen.
In the case of the check deposit on the Chase app, as soon as you enable your camera on your phone, it shows the video of everything in its viewfinder. This action can be detected by the app and will launch its intercept of the check picture when the picture is “snapped.”
You can see how it works in their demo video below.
The key to this vulnerability is that apps sometimes use shared memory space. It is this shared memory space that is exploited for detecting and determining when the app is being used and then injecting the fake login screen.
Although this hack was demonstrated on Android, it just as easily can be done on Windows and iOS phones as they also use shared memory space. The only limitation is the vetting process of the apps by the store and any AV software that might detect its malicious nature on your phone.
Videos for their Newegg hack (which takes the credit card number and shipping address) and H&R Block hack (which steals a password and social security number) can be seen below.
0 comments: