A flaw in Android’s GUI framework let university researchers hack into applications with up to 92 percent success rate.
They tested apps from Gmail, H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon.
“Changes in the shared memory side channel allow an attacker to infer if there is an activity transition going on in the foreground,” researcher Zhiyun Qian, an assistant professor at the University of California at Riverside, told LinuxInsider.
“This is a design choice by modern OSes … . The same attack may work as well [on other mobile OSes],” he added.
Details of the Flaw
When a new screen or window is shown, the GUI framework allocates a fixed amount of memory in the shared memory register that’s proportional to the size of the screen, Qian said. This memory is allocated inside the app process and shared with a separate window compositor process.
Shared memory is commonly adopted by window managers to receive window changes or updates from running applications. This gives rise to the side channel.
When a user downloads a malicious app, the shared memory lets attackers steal information such as login credentials, and obtain sensitive camera images such as photos of personal checks sent through banking apps.
Existing attacks can be enhanced in stealth and effectiveness by providing the target UI states; further, user behavior can be inferred by tracking UI state changes.
How the Attack Works
The researchers first built a UI state machine based on UI state signatures constructed online.
In real time, they inferred UI states — called “activities” in Android — from an unprivileged background app.
They then exploited the designed functionality that allows UI preemption, commonly used by alarm or reminder apps on Android, to break the GUI integrity.
“This is akin to a combination of other well-known flaws such as the Trojan Horse approach,” Al Hilwa, a program director at IDC, told LinuxInsider.
Trojan Horses capture user data with a decoy UI before error messages are put out, and the real app is brought up once the data is stolen. However, in the researchers’ attack, “the real app is used but another app is capturing the data, then throwing out an error message,” Hilwa said.
The findings put paid to the common notion that downloaded apps cannot interfere with each other.
The Killing Fields
The researchers achieved success rates for their attacks of 92 percent for the Gmail and H&R Block apps; 86 percent for Newegg’s app; 85 percent for the WebMD app; and 83 percent for the Chase Bank and Hotels.com apps.
They had the lowest success rate — 48 percent — with the Amazon app, because it allows an activity to transition to almost any other activity, making tracking difficult.
“We will shut down the vulnerability on Android first, followed by iOS,” James Wu, CTO and COO of Newegg North America, told LinuxInsider. He expects these fixes to be in place by next week.
“At this time, there is no indication that any H&R Block client data has been compromised as a result of this vulnerability,” said company spokesperson Gene King.
“H&R Block takes privacy and security very seriously, and we are in contact with appropriate parties to address these reports,” he told LinuxInsider.
The researchers had not yet notified Google of the flaw, UCR’s Qian said.
On Responsibility and Defense
As for fixing the flaw, Newegg’s Wu said, “everyone is responsible — the OS makers, app developers and phone users.”
The researchers “did a good job at pointing out and educating everyone about a possible vulnerability,” he continued. “Now it is up to all of us to do something about it.”
OS vendors could eliminate the shared memory side channel, Qian suggested, although that could impact backward compatibility. Or they could redesign the GUI framework to avoid frequently allocating and deallocating memory, instead preallocating double the size of the memory. That approach would increase memory consumption, though.
There are “not always perfect solutions,” Qian admitted, noting that each imposes its own penalties.