An iPhone 5C smartphone in a pocket
Researchers claims sensitive information can be stolen from apps running on Android, Windows Phone and iOS.

Researchers claims a new piece of malware can steal highly sensitive data from smartphone apps on Android, Windows Phone and iOS with up to a 92% success rate.

The researchers have showcased the proof-of-concept malware running on an Android smartphone with the malicious software able to steal information such as login details, credit card numbers and even sensitive pictures taken with the victim's smartphone camera.

The researchers have not shown the attack working on iOS or Windows Phone operating systems, but they believe that the weakness exists in both platforms to carry out similar attacks "because they share a key feature researchers exploited in the Android system."

One of the researchers, Zhiyun Qian, said: "The assumption has always been that these apps can't interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."


The attack only works if the attackers can get their victims to download what looks like a benign application, which is in fact a piece of malware. While this can be done on Android through third-party app stores, it is not as easy on iOS, while Apple only allows apps to be downloaded from the official App Store.

For the attack to work, say the researchers, it must happen at the exact time the victim is inputting the sensitive information the attackers are after.

In order to achieve this, the researchers have exploited "a newly discovered public side channel" - the shared memory statistics of an app's process, which can be accessed without any privileges.

The malware is constantly monitoring for changes in the shared memory of the target app (which can be anything from a banking app to Gmail or Amazon) and once the malware notices a change to what the researchers have called an "activity transition event" - such as taking a picture or logging into your Gmail account - the malware takes over and begins capturing the data.

92% successful

The researchers have released three videos (which can be seen here) showing the exploit in action, capturing login details, credit card information and pictures.

The researchers tested the malware against seven different apps including Gmail, Amazon, Newegg, and an app from Chase bank.

Of the apps tested Gmail was the most vulnerable with a 92% success rate in capturing sensitive data, while Amazon was the least vulnerable with just a 48% success rate.

The reason for the Amazon app's lower vulnerability according to the researchers was because it allows one activity to transition to numerous other activities, making it more difficult to guess which activity the app was using.

IBTimes UK contacted Google for a comment on the report with a spokesperson saying they are looking into the matter.

The researchers will publish their full report, called Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks on Friday, 22 August at a security conference in San Diego.

The authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at University of California; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.