A weakness in Android, one that’s likely also found in other leading operating systems, allows an attacker to infer what’s happening on a victim’s user interface and launch an appropriate secondary attack resulting in data loss.
Researchers from the University of Michigan and the University of California at Riverside presented their attack on Friday during the USENIX Security Symposium. The researchers developed an application that would have to be running in the background on the affected device that hijacks the UI state. They were able to measure state changes in the UI via a shared memory side channel and determine with better than 90 percent accuracy in some cases what activity the users were undertaking, and launch a second attack that could steal sensitive inputs such as log-in credentials or photographs of personal checks and signatures used on banking applications.
The researchers tested seven popular Android applications, including Gmail, Amazon, H&R Block and accurately predict the current UI state. In other words, if the user was presented with a log-in window, their malicious app would launch a phishing window of its own and capture the user’s credentials.
“UI state is defined as a mostly consistent user interface shown in the window level, reflecting a specific piece of program functionality,” researchers Qi Alfred Chen, Zhiyun Qian, Z. Morley Mao wrote in their paper: “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.” “Thus, we call our attack UI state inference attack. In this attack, an attacker first builds a UI state machine based on UI state signatures constructed offline, and then infers UI states in real time from an unprivileged background app.”
While the researchers tested their attack only on Android, they wrote in their paper that the same shared memory mechanism being exploited here is also present in window managers present in Microsoft Windows, Mac OS X and iOS.
“This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications,” the researchers wrote, adding that they observe UI state changes through shared virtual memory that’s used to detect window events in target applications.
“Since the window manager property we exploit has no obvious vulnerabilities in either design or implementation, it is non-trivial to construct defense solutions,” the researchers wrote. The window manager interacts with apps such as Gmail and the others tested to draw the final pixels to the frame buffer, which is the final display, the paper explains.
“Unlike its predecessors, which allow individual applications to draw to the frame buffer directly, a compositing window manager requires applications to draw the window content to off-screen buffers first, and use a dedicated window compositor process to combine them into a final image, which is then drawn to the frame buffer,” the researchers wrote.
The researchers’ malicious app needs only permission to reach out to the Internet to work. Of the apps tested, the researchers were able to accurately infer activity on the application 92 percent of the time for Gmail and H&R Block, while Amazon was at the low end at 48 percent. Amazon’s low accuracy, the researchers wrote, was because certain features of the application were not distinct enough for proper detection and measurement by their method.