University researchers can hack a cell phone with a 92 percent rate, accessing banking, financial transactions and tricking the user to potentially engage in fraud, according to a new study.

Cell phone hack

“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. “It’s seamless because we have this timing.”

Weakness in cellphone operating system

Chen is one of the researchers from the University of Michigan and the University of California Riverside that identified a weakness they believe exists across Android, Windows and Apple’s iOS mobile operating systems.  They only conducted extensive tests with Andriod but believe the issue exists across all platforms because all the systems allow generally unrestricted access to the phone’s shared memory.

Google’s Gmail app was the most popular hack, but other applications hacked include Chase Bank, H&R Block, WebMD, Bank, and Amazon, which was the most difficult to hack, according to the report.

As banks and financial firms rush to offer cell phone applications to encourage customers to conduct business electronically, the light disclosure of risk accompanies the apparent ease with which computer hackers can access a user’s cell phone for devious purposes.

How the researchers hacked a cell phone

In their research, an apparent benign wallpaper application was created that included malicious computer code.  Once the wallpaper was installed, the devious computer code accessed the cell phone’s shared memory, which, oddly, didn’t require any special privileges or security.

The “shared memory slide channel,” the hack target, is located on the cell phone’s operating system.  The computer code hacks this operating system feature to spy through other applications.

Through this application, the researchers monitored when a cell phone was used to log into banking applications to take a picture of a check or transfer funds, log into an H&R Block tax application, for example.  When the phone user logged in, the researchers could input a fake screen that enabled them to capture the user password and other unique identifiers.

“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an associate professor at UC Riverside. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The researchers will deliver a presentation on their paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks” (PDF), at the USENIX Security Symposium in San Diego on August 23.