Researchers uncover a hardware security vulnerability on Android phones

Android phones: Hopefully not, therefore, not for lengthy, because of a group of researchers in the College of Pittsburgh Swanson School of Engineering.

Their recent study discovered that the Graphics Processing Unit (GPU) in certain Android phones could be employed to eavesdrop on the user’s credentials once the user types these credentials while using the smartphone’s on-screen keyboard, which makes it a highly effective target for hacking. This Android phones hardware security vulnerability exposes an infinitely more serious threat to users’ sensitive private data, when compared to previous attacks that may only infer anyone’s coarse-grained activities, like the website being visited or the size of the password being typed.

Android phones

“Our experiments reveal that our attack can properly infer a user’s credential inputs, for example, their password, without requiring any system privilege or causing any noticeable transfer of the device’s operations or performance. Users wouldn’t have the ability to tell when it is happening,” stated Wei Gao, affiliate professor of electrical and computer engineering, whose lab brought the research. “It was vital to allow manufacturers to realize that the telephone is susceptible to eavesdropping to enable them to make changes towards the hardware.”

A phone’s GPU processes all the images that appear on screen, such as the pop-up animations whenever a letter from the on-screen keyboard is pressed. They could properly infer which letters or figures were pressed greater than 80 % of the time, based only on how the GPU creates the displayed keyboard animations.

“If a person were to benefit from this weakness, they might develop a benign application like a game title or any other app and embed malicious code in it that will run quietly without anyone’s knowledge after it’s installed,” stated Gao. “Our experimental form of this attack could effectively target passwords being joined in internet banking, investment, and credit rating apps and websites, so we have demonstrated the embedded malicious codes within the application can’t be properly detected through the Google Play Store.”

They focused their experiments around the Qualcomm Adreno GPU, however, this method may potentially be utilized for other GPUs, too. They reported their findings to Google and Qualcomm, and Google confirmed that they’ll release an Android security update later this season to deal with the priority.

The paper, “Eavesdropping User Credentials via GPU Side Channels on Android phones,” was co-authored by Boyuan Yang, Ruirong Chen, Kai Huang, Jun Yang, and Wei Gao. It had been presented at the ASPLOS Conference, held in February. 28 through March 4, 2022, in Lausanne, Europe.