Abstract
App-based deception attacks are increasingly a problem on mobile devices and they are used to steal passwords, credit card numbers, text messages, etc. Current versions of Android are susceptible to these attacks. Recently, Bianchi et al. proposed a novel solution “What the App is That” that included a host-based system to identify apps to users via a security indicator and help assure them that their input goes to the identified apps [7]. Unfortunately, we found that the solution has a significant side channel vulnerability as well as susceptibility to clickjacking that allow non-privileged malware to completely compromise the defenses, and successfully steal passwords or other keyboard input. We discuss the vulnerabilities found, propose possible defenses, and then evaluate the defenses against different types of UI deception attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We chose to attack Facebook in our examples, though it could equally well have been a banking app.
- 2.
At the time of writing, this file was publicly accessible to any app. Recently, the current version of Android (Marshmallow) tightened its SELinux policy to prevent arbitrary apps from accessing the file.
- 3.
There are slightly fewer attacks than the random strategy since the channel strategy is conservative and chooses to let some intervals go without attack attempts rather than to risk detection.
- 4.
Our attack demonstrations in the video use a window type that captures input without passing the input to the underlying window. We subsequently verified that our attacks are feasible using toast windows, that allow input to be both captured and passed to the underlying window; in this case the user will not notice missing characters.
References
Android UI Deception PoC Code. https://github.com/earlence/AndroidUIDeceptionRevisitedFC16. Accessed Oct 2015
Apple XCodeGhost Attack. http://www.apple.com/cn/xcodeghost/#english. Accessed Oct 2015
Activity hijacking pattern for Android. http://capec.mitre.org/data/definitions/501.html. Accessed Oct 2015
Android Touch-Event Hijacking. https://blog.lookout.com/blog/2010/12/09/android-touch-event-hijacking/. Accessed Oct 2015
Akhawe, D., He, W., Li, Z., Moazzezi, R., Song, D.: Clickjacking revisited: a perceptual view of UI security. In: Proceedings of the 8th USENIX Conference on Offensive Technologies, WOOT 2014, pp. 1–1. USENIX Association, Berkeley, CA, USA (2014). http://dl.acm.org/citation.cfm?id=2671293.2671294
Lovejoy, B.: Beware authentication popups in iOS Mail: bug allows convincing-looking phishing attacks. http://9to5mac.com/2015/06/10/ios-mail-phishing-popup/. Accessed Dec 2015
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app. is that? deception and countermeasures in the android user interface. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, May 2015
Castillo, C.: McAfee Labs. Phishing attack replaces banking app. with malware. Published. http://blogs.mcafee.com/mcafee-labs/phishing-attack-replaces-android-banking-apps-with-malware. Accessed Oct 2015
Chebyshev, V., Unuchek, R.: Mobile malware evolution in 2013. http://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/. Accessed Oct 2015
Chen, J., Chen, H., Bauman, E., Lin, Z., Zang, B., Guan, H.: You shouldn’t collect my secrets: thwarting sensitive keystroke leakage in mobile ime apps. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 657–690. USENIX Association, Washington, D.C. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/chen-jin
Chen, Q.A., Qian, Z., Mao, Z.M.: Peeking into your app. without actually seeing it: ui state inference and novel android attacks. In: Proceedings of the 23rd USENIX Security Symposium (2014)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys 2011, pp. 239–252, NY, USA (2011). http://doi.acm.org/10.1145/1999995.2000018
Clickjacking SideChannel Demonstration videos. https://sites.google.com/site/clickjackingsidechannels/. Accessed Oct 2015
Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005, pp. 77–88, NY, USA (2005). http://doi.acm.org/10.1145/1073001.1073009
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590, NY, USA (2006). http://doi.acm.org/10.1145/1124772.1124861
Felt, A.P., Wagner, D.: Phishing on mobile devices. In: W2SP (2011)
Fernandes, E., Chen, Q., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: TIVOs: trusted visual I/O paths for android. Technical report CSE-TR-586-14, CSE Department, University of Michigan, Ann Arbor (2014)
Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 649–656, NY, USA (2007). http://doi.acm.org/10.1145/1242572.1242660
Hao, S., Liu, B., Nath, S., Halfond, W.G., Govindan, R.: PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps. In: Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2014, pp. 204–217, NY, USA (2014). http://doi.acm.org/10.1145/2594368.2594390
Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, pp. 22–22. USENIX Association, Berkeley, CA, USA (2012). http://dl.acm.org/citation.cfm?id=2362793.2362815
Kaspersky: svpeng android malware targets banking apps. http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-detects-mobile-Trojan-Svpeng-Financial-malware-with-ransomware-capabilities-now-targeting-US-users. Accessed Oct 2015
Kelly, M.: Badlepricon: bitcoin gets the mobile malware treatment in Google Play. https://blog.lookout.com/blog/2014/04/24/badlepricon-bitcoin/. Accessed Oct 2015
Liu, B., Nath, S., Govindan, R., Liu, J.: DECAF: detecting and characterizing ad fraud in mobile apps. In: NSDI (2014)
Liu, D., Cuervo, E., Pistol, V., Scudellari, R., Cox, L.P.: ScreenPass: secure password entry on touchscreen devices. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 291–304, NY, USA (2013). http://doi.acm.org/10.1145/2462456.2465425
Niemietz, M., Schwenk, J.: UI redressing attacks on android devices. In: Proceedings of BlackHat Abu Dhabi (2012)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 51–65 (2007). http://dx.doi.org/10.1109/SP.2007.35
Android 5.0 Screen Pinning. https://support.google.com/nexus/answer/6118421?hl=en. Accessed Oct 2015
Tong, T., Evans, D.: GuarDroid: a trusted path for password entry. In: Proceedings of Mobile Security Technologies (MoST) (2013)
TrendMicro: mobile phishing attacks ask for government ids. http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-phishing-attack-asks-for-users-government-ids/. Accessed Oct 2015
Unuchek, R.: Svpeng android malware targets Google Play with fake credit card window. http://securelist.com/blog/incidents/63746/latest-version-of-svpeng-targets-users-in-us/. Accessed Oct 2015
Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: NDSS (2010)
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 601–610, NY, USA (2006). http://doi.acm.org/10.1145/1124772.1124863
Zhang, Y., Xue, H., Wei, T.: Occupy your icons silently on android. http://www.fireeye.com/blog/technical/2014/04/occupy_your_icons_silently_on_android.html. Accessed Oct 2015
Chen, Z., Wei, T., Xue, H., Zhang, Y.: Three new masque attacks against iOS: demolishing, breaking and hijacking. https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html. Accessed Dec 2015
Acknowledgements
We thank the reviewers for their insightful feedback. This material is based upon work supported by the National Science Foundation under Grant No. 1318722. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Fernandes, E. et al. (2017). Android UI Deception Revisited: Attacks and Defenses. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)