Researchers at the University of California Riverside and University of Michigan have discovered a flaw in Android that could allow nefarious users to hijack apps. The researchers believe that Android isn’t alone in being vulnerable to this attack; iOS and Windows Phone are thought to be susceptible to the flaw as well.
The flaw has to do with the way apps share memory space inside a device. Devices sandbox apps that are running in memory to separate them from each other natively, but they rely typically on a common graphic interface framework called a window manager. That window manager operates in shared memory space and renders the graphic elements we see on the screen.
To utilize this flaw, a malicious app would have to be downloaded and running in the background on Android devices. The app would need low energy and overhead to help it remain undetected. This malicious app would watch what graphics are being deployed on the screen and could inject timed fake interface elements, like login screens, to steal credentials.
This is a man-in-the-middle attack and some commonly used apps like Gmail, Amazon, Chase, Newegg, and WebMD were all found to be vulnerable to the attack. The researchers found that Gmail was vulnerable to the attack 92% of the time.
SOURCE: Information Week