A team of U.S. engineers discovered vulnerabilities in major mobile operating systems that allowed them to hack into several apps, including Gmail, with a 92 percent success rate.
The growing proliferation of smartphones means many mobile users depend entirely on their mobile phones for various operations like checking email, processing bank transactions and shopping. But smartphone users are risking more than they imagined in favor of convenience.
The engineer team discovered flaws in leading mobile operating systems including Android, iOS and Windows.
The researchers from the University Of California-Riverside and the University of Michigan tested the hacking method and were able to get into six out of seven popular apps. Of all tested apps, Amazon was the only app that made it difficult for the researchers to hack. Even so, researchers claimed to have a 48 percent success rate sneaking into Amazon, CBS News reported.
The new hack attack, which researchers call a "user interface state interference attack," was demonstrated on the UI State Interference Attack website. Three videos uploaded by the researchers showed successful penetration into apps from H&R Block, Chase (83 percent success rate) and NewEgg (86 percent). The exploitation of H&R Block allowed researchers to steal users' login details and the social security numbers. In penetrating the Chase app, researchers found users' highly sensitive information such as address, name, bank routing number, account number and signature was vulnerable to the hackers. The NewEgg app risked users' credit card number and shipping address.
The attack happens without users' knowledge, and all the information is sent in plain text to the attackers.
The test was conducted on Android platform but researchers said the hack will work similarly on iOS and Windows.
"The assumption has always been that apps cannot interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user," explained Zhiyun Qian, an assistant professor at UC Riverside's Bourns College of Engineering.
Qian warns mobile users to refrain from installing dubious apps.
The paper detailing the research will be presented Saturday at the 23rd USENIX Security Symposium in San Diego.