Skip to main content
SpringerLink
Log in

Android UI Deception Revisited: Attacks and Defenses

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9603))

Included in the following conference series:

Abstract

App-based deception attacks are increasingly a problem on mobile devices and they are used to steal passwords, credit card numbers, text messages, etc. Current versions of Android are susceptible to these attacks. Recently, Bianchi et al. proposed a novel solution “What the App is That” that included a host-based system to identify apps to users via a security indicator and help assure them that their input goes to the identified apps [7]. Unfortunately, we found that the solution has a significant side channel vulnerability as well as susceptibility to clickjacking that allow non-privileged malware to completely compromise the defenses, and successfully steal passwords or other keyboard input. We discuss the vulnerabilities found, propose possible defenses, and then evaluate the defenses against different types of UI deception attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We chose to attack Facebook in our examples, though it could equally well have been a banking app.

  2. 2.

    At the time of writing, this file was publicly accessible to any app. Recently, the current version of Android (Marshmallow) tightened its SELinux policy to prevent arbitrary apps from accessing the file.

  3. 3.

    There are slightly fewer attacks than the random strategy since the channel strategy is conservative and chooses to let some intervals go without attack attempts rather than to risk detection.

  4. 4.

    Our attack demonstrations in the video use a window type that captures input without passing the input to the underlying window. We subsequently verified that our attacks are feasible using toast windows, that allow input to be both captured and passed to the underlying window; in this case the user will not notice missing characters.

References

  1. Android UI Deception PoC Code. https://github.com/earlence/AndroidUIDeceptionRevisitedFC16. Accessed Oct 2015

  2. Apple XCodeGhost Attack. http://www.apple.com/cn/xcodeghost/#english. Accessed Oct 2015

  3. Activity hijacking pattern for Android. http://capec.mitre.org/data/definitions/501.html. Accessed Oct 2015

  4. Android Touch-Event Hijacking. https://blog.lookout.com/blog/2010/12/09/android-touch-event-hijacking/. Accessed Oct 2015

  5. Akhawe, D., He, W., Li, Z., Moazzezi, R., Song, D.: Clickjacking revisited: a perceptual view of UI security. In: Proceedings of the 8th USENIX Conference on Offensive Technologies, WOOT 2014, pp. 1–1. USENIX Association, Berkeley, CA, USA (2014). http://dl.acm.org/citation.cfm?id=2671293.2671294

  6. Lovejoy, B.: Beware authentication popups in iOS Mail: bug allows convincing-looking phishing attacks. http://9to5mac.com/2015/06/10/ios-mail-phishing-popup/. Accessed Dec 2015

  7. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app. is that? deception and countermeasures in the android user interface. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, May 2015

    Google Scholar 

  8. Castillo, C.: McAfee Labs. Phishing attack replaces banking app. with malware. Published. http://blogs.mcafee.com/mcafee-labs/phishing-attack-replaces-android-banking-apps-with-malware. Accessed Oct 2015

  9. Chebyshev, V., Unuchek, R.: Mobile malware evolution in 2013. http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/. Accessed Oct 2015

  10. Chen, J., Chen, H., Bauman, E., Lin, Z., Zang, B., Guan, H.: You shouldn’t collect my secrets: thwarting sensitive keystroke leakage in mobile ime apps. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 657–690. USENIX Association, Washington, D.C. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/chen-jin

  11. Chen, Q.A., Qian, Z., Mao, Z.M.: Peeking into your app. without actually seeing it: ui state inference and novel android attacks. In: Proceedings of the 23rd USENIX Security Symposium (2014)

    Google Scholar 

  12. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys 2011, pp. 239–252, NY, USA (2011). http://doi.acm.org/10.1145/1999995.2000018

  13. Clickjacking SideChannel Demonstration videos. https://sites.google.com/site/clickjackingsidechannels/. Accessed Oct 2015

  14. Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005, pp. 77–88, NY, USA (2005). http://doi.acm.org/10.1145/1073001.1073009

  15. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590, NY, USA (2006). http://doi.acm.org/10.1145/1124772.1124861

  16. Felt, A.P., Wagner, D.: Phishing on mobile devices. In: W2SP (2011)

    Google Scholar 

  17. Fernandes, E., Chen, Q., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: TIVOs: trusted visual I/O paths for android. Technical report CSE-TR-586-14, CSE Department, University of Michigan, Ann Arbor (2014)

    Google Scholar 

  18. Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 649–656, NY, USA (2007). http://doi.acm.org/10.1145/1242572.1242660

  19. Hao, S., Liu, B., Nath, S., Halfond, W.G., Govindan, R.: PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps. In: Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2014, pp. 204–217, NY, USA (2014). http://doi.acm.org/10.1145/2594368.2594390

  20. Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, pp. 22–22. USENIX Association, Berkeley, CA, USA (2012). http://dl.acm.org/citation.cfm?id=2362793.2362815

  21. Kaspersky: svpeng android malware targets banking apps. http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-detects-mobile-Trojan-Svpeng-Financial-malware-with-ransomware-capabilities-now-targeting-US-users. Accessed Oct 2015

  22. Kelly, M.: Badlepricon: bitcoin gets the mobile malware treatment in Google Play. https://blog.lookout.com/blog/2014/04/24/badlepricon-bitcoin/. Accessed Oct 2015

  23. Liu, B., Nath, S., Govindan, R., Liu, J.: DECAF: detecting and characterizing ad fraud in mobile apps. In: NSDI (2014)

    Google Scholar 

  24. Liu, D., Cuervo, E., Pistol, V., Scudellari, R., Cox, L.P.: ScreenPass: secure password entry on touchscreen devices. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 291–304, NY, USA (2013). http://doi.acm.org/10.1145/2462456.2465425

  25. Niemietz, M., Schwenk, J.: UI redressing attacks on android devices. In: Proceedings of BlackHat Abu Dhabi (2012)

    Google Scholar 

  26. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 51–65 (2007). http://dx.doi.org/10.1109/SP.2007.35

  27. Android 5.0 Screen Pinning. https://support.google.com/nexus/answer/6118421?hl=en. Accessed Oct 2015

  28. Tong, T., Evans, D.: GuarDroid: a trusted path for password entry. In: Proceedings of Mobile Security Technologies (MoST) (2013)

    Google Scholar 

  29. TrendMicro: mobile phishing attacks ask for government ids. http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-phishing-attack-asks-for-users-government-ids/. Accessed Oct 2015

  30. Unuchek, R.: Svpeng android malware targets Google Play with fake credit card window. http://securelist.com/blog/incidents/63746/latest-version-of-svpeng-targets-users-in-us/. Accessed Oct 2015

  31. Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: NDSS (2010)

    Google Scholar 

  32. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 601–610, NY, USA (2006). http://doi.acm.org/10.1145/1124772.1124863

  33. Zhang, Y., Xue, H., Wei, T.: Occupy your icons silently on android. http://www.fireeye.com/blog/technical/2014/04/occupy_your_icons_silently_on_android.html. Accessed Oct 2015

  34. Chen, Z., Wei, T., Xue, H., Zhang, Y.: Three new masque attacks against iOS: demolishing, breaking and hijacking. https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html. Accessed Dec 2015

Download references

Acknowledgements

We thank the reviewers for their insightful feedback. This material is based upon work supported by the National Science Foundation under Grant No. 1318722. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Author information

Authors and Affiliations

  1. University of Michigan, Ann Arbor, USA

    Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J. Alex Halderman, Z. Morley Mao & Atul Prakash

Authors
  1. Earlence Fernandes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qi Alfred Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Justin Paupore
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Georg Essl
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. J. Alex Halderman
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Z. Morley Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Atul Prakash
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Earlence Fernandes .

Editor information

Editors and Affiliations

  1. Technical University Munich, Garching, Germany

    Jens Grossklags

  2. Department of Electrical Engineering-ESAT, KU Leuven, Leuven, Belgium

    Bart Preneel

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Fernandes, E. et al. (2017). Android UI Deception Revisited: Attacks and Defenses. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-54970-4_3

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-54969-8

  • Online ISBN: 978-3-662-54970-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation