Researchers at the University of California, Riverside and the University of Michigan announced recently that they have developed a hack that works 92% of the time on Google's Gmail system on Android, as well as with the H&R Block app.
In addition, this hack worked 86% of the time on Newegg, and 83% of the time at Chase Bank and Hotels.com. That's a highly reliable hack as far as hacks go. Probably most troubling is its reliability against the Chase Bank app.
The key to the hack is to get the user to download a malicious app. As you know, apps on the Android system are not vetted like the apps on Apple's iOS, and as such, some malicious apps do appear in the Google Play Store.
When this fake or malicious app in on an Android system, it then monitors the legitimate app, such as Chase Bank. When the user opens the legitimate app, it inserts a fake login screen where the user then enters their credentials. Furthermore, the researchers were able to grab a photo on the check deposit to the Chase app.
The keys to this hack are several and should not be that hard to replicate by black hats. First, the end user needs to be enticed to download a malicious app. This isn't that hard, as people are often downloading free apps that they know nothing about. A "free" version of a popular paid app will likely entice millions to download it.
Second, the malicious app needs to detect when the user is opening the victim app. This is not that hard, as each app has its own signature (much like how AV software works) that can be detected by the malicious app and then launch the appropriate login screen.
In the case of the check deposit on the Chase app, as soon as you enable your camera on your phone, it shows the video of everything in its viewfinder. This action can be detected by the app and will launch its intercept of the check picture when the picture is "snapped."
You can see how it works in their demo video below.
The key to this vulnerability is that apps sometimes use shared memory space. It is this shared memory space that is exploited for detecting and determining when the app is being used and then injecting the fake login screen.
Although this hack was demonstrated on Android, it just as easily can be done on Windows and iOS phones as they also use shared memory space. The only limitation is the vetting process of the apps by the store and any AV software that might detect its malicious nature on your phone.
Videos for their Newegg hack (which takes the credit card number and shipping address) and H&R Block hack (which steals a password and social security number) can be seen below.
Want to help support Null Byte and start making your own money as a white hat hacker? Jump start your White-Hat Hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.