US researchers say they have been able to hack into Gmail accounts with a 92% success rate by exploiting a weakness in smartphone memory.The researchers were able to gain access to a number of apps, including Gmail, by disguising malicious software as another downloaded app.
Gmail was among the easiest to access from the popular apps tested.
The hack was tested on an Android phone, but the researchers believe it could work on other operating systems.
A Google spokeswoman said the technology giant welcomed the research. “Third-party research is one of the ways Android is made stronger and more secure,” she said.
The research is being presented later at a cybersecurity conference in San Diego by academics from the universities of Michigan and California.
Other apps hacked included H&R Block, Newegg, WebMD, WebHealth, Chase Bank, Hotels.com and Amazon.
Passwords stolen
The Amazon app was the hardest to access, with a 48% success rate.
The hack involves accessing the shared memory of a user’s smartphone using malicious software disguised as an apparently harmless app, such as wallpaper.
This shared memory is used by all apps, and by analysing its use the researchers were able to tell when a user was logging into apps such as Gmail, giving them the opportunity to steal login details and passwords.
“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an assistant professor at the University of California and one of the researchers involved in the study.
“We show that assumption is not correct, and one app can in fact significantly impact another and result in harmful consequences for the user.”
In another example the researchers were able to take advantage of a feature of the Chase Bank app which allows customers to pay in cheques by taking pictures of them with their device’s camera.
The researchers were able to access the camera to steal the pictures as they were being taken, giving them access to personal information including signatures and bank details.
The tests were carried out on Android phones, but the researchers believe the attacks could be successful on other operating systems, including Windows and the iOS system developed by Apple.