Critical Security Vulnerability Discovered in Android Smartphones
A team of researchers from the Swanson School of Engineering at the University of Pittsburgh has uncovered a critical security vulnerability in Android smartphones. Their recent study revealed that the graphics processing unit (GPU) in certain Android devices can be exploited to eavesdrop on user credentials when they are entered using the on-screen keyboard.
This hardware security flaw poses a much greater threat to users’ confidential personal data compared to previous attacks, which could only infer general user actions, such as which website was visited or the length of a password being entered.
“Our experiments show that the attack can accurately determine user credentials, such as usernames and passwords, without requiring any system privileges or causing any noticeable changes in the device’s operation or performance. Users would not be able to tell when they are being attacked,” said Wei Gao, Associate Professor of Electrical and Computer Engineering, whose lab led the research.
How the Vulnerability Works
During their experiments, the researchers were able to correctly identify which letters or numbers were pressed 80% of the time, based solely on data obtained from the GPU.
The team focused on the Qualcomm Adreno graphics chip, but they believe the vulnerability could also be exploited on other GPUs. The researchers have reported the issue to both Google and Qualcomm. Google has stated that a security patch for Android will be released by the end of the year.
Potential Risks for Users
For example, an attacker could create a seemingly safe app and embed malicious code that runs in the background. As a result, the malicious app could capture usernames and passwords entered into online banking apps or websites. Such code cannot be detected by standard Google Play security measures.
Research Publication
The paper, “Eavesdropping User Credentials via GPU Side Channels on Smartphones,” was co-authored by Boyuan Yang, Zuirong Chen, Kai Huang, Jun Yang, and Wei Gao. It was presented at the ASPLOS conference held from February 28 to March 4, 2022, in Lausanne, Switzerland.