University researchers have built an Android app that secretly snatches valuable personal data from other mobile apps, such as webmail, shopping and online banking.
The app, demonstrated Friday at the USENIX Security Conference in San Diego, stole login credentials from Google Gmail, a social security number from an H&R Block app, a credit card number from a NewEgg app and a bank-check image from a Chase Bank app.
The attack developed by researchers from the University of Michigan and the University of California, Riverside, did not exploit a flaw in any of the apps.
Instead, the researchers took advantage of the operating system’s graphical user interface (GUI) design. While the malicious app was demonstrated on Android, it could theoretically work on iOS, Mac OS X and Windows, which use the same GUI design.
Because the weakness is a design problem, there is no easy fix, Zhiyun Qian, a co-author of the research, said. The GUI portion of the OS would have to be redesigned, which would cause compatibility problems for apps already in the market.