Three computer security researchers from the University of Michigan—Qian and Qi Alfred Chen and Z. Morley Mao—plan to present a paper that demonstrates a novel way to use one Android app to spy on another. They say they were able to use the technique to steal passwords, credit card numbers and sensitive photos from apps including Gmail, the H&R Block App, NewEgg and the Chase app. They had more difficulty hacking the Amazon app, but even that was possible.
The trio added that this problem probably isn’t limited to Android, noting, “We expect the technique to be generalizable to all GUI systems with the same window manager design as that in Android, such as the GUI systems in Mac OS X, iOS, Windows, etc.”
In related news, a new FireEye report found that 68 percent of the top 1,000 most popular free apps in the Google Play store are susceptible to man-in-the-middle attacks.