Home > Mobile > Security researchers expose Gmail smartphone hack

Security researchers expose Gmail smartphone hack

Researchers from the Universities of Michigan and California say they’ve come up with a smartphone hack that can get into your Gmail account via your mobile device. A number of apps are affected by the vulnerability but Gmail was exploited with a 92 percent success rate.

According to the details of the research, the hack — as you might expect — relies on a malware app posing as a genuine bit of software, so you should be safe if you take good care over what’s allowed to run on your handset. Once the malicious code is in place it can use a mobile device’s shared memory to jump into other apps, including Gmail.

Related: Gmail acts to sort out new scam using non-Latin characters

“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, one of the team working on the project. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.” Banking apps were also successfully breached using the same method.

The hack relies on being able to predict what the user will do next and timing an interception perfectly, so some apps proved more vulnerable than others. Of the seven apps tested, Gmail was the easiest to access while the Amazon app was the most difficult. The exploit was run on an Android phone though the researchers say the same principles can potentially be applied to iOS and Windows Phone.

Thanks to the procedures put in place to block and root out malware, the vulnerability reported here shouldn’t worry the majority of users. Nevertheless it’s a working demonstration of how a device’s shared memory can be misused, and another reminder to take care with your app installs — particularly if you’re on a rooted device.

A Google spokeswoman welcomed the report: “Third-party research is one of the ways Android is made stronger and more secure,” she said. The findings will be revealed in full at the USENIX Security Symposium in San Diego.

[Header image: Alexander Supertramp / Shutterstock.com]