Authority new technique, necessary to identity theft fraud app only net connection 

Researchers in the United States University of California-Riverside and the University of Michigan have found, a new development approach of unauthorized apps that secretly steal important personal information from the Android app. App general mail, online shopping, such as online banking becomes the target. 

Conference on the 22nd August 2014 local time, was held in San Diego in "USENIX Security Symposium", the research team conducted a demonstration of fraud app was developed using this technique. 

Credit card number login information of Gmail app rice Google, social security number of the application of the United States tax processing services giant H & R Block, the application of the United States Internet shopping giant NewEgg, this app, the bank check of net banking app rice JPMorgan Chase we have succeeded in stealing the image. But, it is not utilizing the defects of these apps. 

Research team was using it, it's poor design on lurking in the GUI of the OS. The demonstration was illegal app that runs on Android, but for iOS, Mac OS X, Windows also use the same design approach in the GUI, you could move the unauthorized app similar even OS these theoretical there. 

From that this is a problem in the design, resolution is not easy, Zhiyun Qian said, one of the research team says this deficiency. Because there is a possibility that there is a need to re-design the GUI part of the OS, backward compatibility issues with apps already on the market. 

"This problem, not the solution perfect and simple. What to do to repair easily, we also do not fully grasp" 

Was asked to comment on Google, but there was no answer. 

A defect in design research teams have used this time, in the device, such as a smartphone, for processing the most common, such as the use of the GUI, there is a part that has allowed the sharing of memory to each application. 

Memory usage of the GUI is changed according to the work being done by the user. Incorrect application of the research team, was closely monitored the transition of the memory usage of the application of the target. Then, the only monitoring of about one day, was able to grasp such as input of the transmit and forms a user name and password, the timing at which the user is trying to do a particular operation. 

Unauthorized application displays a screen of false information about the exact timing. It is a screen in the appearance of the look-alike, deprives the user input data to the real screen of the application of the target. 

Thus, the input data has been obtained, to display the error message for not Nigo-sa traces. This is because it does not inspire suspicious think the user is allowed to re-enter the data for the application of the real. 

For images such as images of bank checks, user to shoot, in the form of poke the preview function which device comprises, I to those of their own image. 

Not that this rogue app works in the background, to prevent another process on the device. Privileges are required for operation just Internet connection. 

"It is not necessary to use several privileges. Suffices even authority of the net connection. Because it is authority very common, is not suspicious at all" (Qian Mr.) 

In testing the application against unauthorized application seven widely used in Android, the success rate was 83-94% on average. The only exception's mobile apps rice Amazon. Since the flow of operation is convoluted, it was difficult than other apps is to identify the work of the user. 

App and the United States medical information service leading WebMD, app was tested Gmail, H & R Block, NewEgg, JPMorgan Chase, except on Amazon, was app Hotel.com. 

The infection rate of malware to Android devices, there are also those that there is a difference in the numerical value of the estimate to the survey each, some of which are assumed to rise to 4%, and only 0.0009%. In iOS device, numerical value of the infection rate is even smaller. Rice Apple has scrutinized the application of all, it's because they were available only from the App Store. 

Particularly high likely pass into malware in Android devices, but when you use the app store informal. In Eastern Europe and Asia, these stores often seen. In the United States, Android apps, most have been downloaded from Google Play more secure. 

Demo video of unauthorized apps research team of this time has developed, can be found on the Web site.


研究チームは現地時間2014年8月22日、サンディエゴで開催されたカンファレンス「USENIX Security Symposium」で、この手法を使って開発した不正アプリのデモを行った。

 このアプリは、米GoogleのGmailアプリのログイン情報、米税務処理サービス大手H&R Blockのアプリの社会保障番号、米ネット通販大手NewEggのアプリのクレジットカード番号、米JPMorgan Chaseのネットバンキングアプリの銀行小切手の画像を盗み出すことに成功した。だが、これらのアプリの欠陥を利用しているわけではない。

 研究チームが利用したのは、OSのGUIに潜む設計上の不備だ。今回のデモはAndroid上で動く不正アプリだったが、iOS、Mac OS X、WindowsもGUIで同じ設計手法を利用しているため、理論上はこれらのOSでも同様の不正アプリを動かせる可能性がある。

 この不備は設計上の問題であることから、解決は簡単ではないと、研究チームの1人であるZhiyun Qian氏は言う。OSのGUI部分を設計し直す必要があり、既に市場に出回っているアプリで互換性の問題が生じる恐れがあるからだ。











 Gmail、H&R Block、NewEgg、JPMorgan Chase、Amazon以外でテストしたアプリは、米医療情報サービス大手WebMDのアプリと、Hotel.comのアプリだった。

 Androidデバイスへのマルウエアの感染率は、調査ごとに推計の数値に差があり、4%に上るとするものもあれば、0.0009%にすぎないとするものもある。iOSデバイスでは、感染率の数値はさらに小さい。米Appleがすべてのアプリを精査し、App Storeからのみ入手させているからだ。

 Androidデバイスにマルウエアが入り込む可能性が特に高いのは、非公式のアプリストアを利用した時だ。東欧やアジアでは、こうしたストアが多く見られる。米国では、ほとんどのAndroidアプリは、より安全性の高いGoogle Playからダウンロードされている。


rikezyo00sumaho at 07:20|PermalinkComments(0)