Researchers at the University of Michigan and University of California Riverside have exposed a vulnerability believed to exist across the Andriod, iOS, and Windows platforms that allows personal information to be obtained by exploiting the phone’s shared memory.

Although users must approve permissions for each app they installed, once that is done, every app then runs on the same shared infrastructure.

“The assumption has always been that these apps can’t interfere with each other easily,” said Zhiyun Qian, an assistant professor at UC Riverside, in a news release. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The researchers demonstrated the hack using an Android phone. They had users download a seemingly benign app, like wallpaper. When that app ran in the background, the researchers could access the phone’s shared memory without needing any special privileges. They then monitored changes in the shared memory and correlated the changes to what they dubbed “activity transition events,” which included logging into a service or photographing a check for digital deposit.

“We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen,” said Qi Alfred Chen, a doctoral student in electrical engineering and computer sciences at University of Michigan. “It’s seamless because we have this timing.”

Chen and his colleagues successfully hacked popular apps like Gmail, Chase Bank, and H&R Block with an 82 percent to 92 percent success rate. Amazon was one of the only apps that gave them difficulty; it was only exploited 48 percent of the time.

Unfortunately for smartphone users, there is not much they can do at the moment to protect themselves from this hack. Qian had this advice: “Don’t install untrusted apps.”