Modern operating systems "sandbox" apps so that they can't affect each other — in theory. Yet three researchers have shown that, at least in Android, one app can "spy" on another and then, at just the right moment, interfere with the targeted app's user display in order to steal passwords, credit-card numbers or even sensitive photos.
In this way, the researchers were able to steal login credentials from the Gmail app, a Social Security number from the H&R Block app, a credit-card number from the NewEgg app and a bank-check image from the Chase app. Only the Amazon app proved resistant, though not immune.
While the experiments were carried out on Android phones, the researchers believe iOS and even desktop operating systems such as Mac OS X and Windows would be vulnerable to similar attacks.
"The assumption has always been that these apps can't interfere with each other easily," researcher Zhiyun Qian of NEC Laboratories America told Phys.org. "One app can in fact significantly impact another and result in harmful consequences for the user."
The three researchers — Qian and Qi Alfred Chen and Z. Morley Mao of the University of Michigan — plan to present their findings at the USENIX Security Symposium in San Diego Friday (Aug. 22), and have already shared their findings in a research paper entitled "Peeking into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks."
— Paul Wagenseil, Tom's Guide
More from Tom's Guide: