Skip to main content

Advertisement

Springer Nature Link
Log in

VenomAttack: automated and adaptive activity hijacking in Android

  • Research Article
  • Published:
Frontiers of Computer Science Aims and scope Submit manuscript

Abstract

Activity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android due to the presence of effective defense mechanisms. In this work, we propose the first automated and adaptive activity hijacking attack, named VenomAttack, enabling a spectrum of customized attacks (e.g., phishing, spoofing, and DoS) on a large scale in recent Android, even the state-of-the-art defense mechanisms are deployed. Specifically, we propose to use hotpatch techniques to identify vulnerable devices and update attack payload without re-installation and re-distribution, hence bypassing offline detection. We present a newly-discovered flaw in Android and a bug in derivatives of Android, each of which allows us to check if a target app is running in the background or not, by which we can determine the right attack timing via a designed transparent activity. We also propose an automated fake activity generation approach, allowing large-scale attacks. Requiring only the common permission INTERNET, we can hijack activities at the right timing without destroying the GUI integrity of the foreground app. We conduct proof-of-concept attacks, showing that VenomAttack poses severe security risks on recent Android versions. The user study demonstrates the effectiveness of VenomAttack in real-world scenarios, achieving a high success rate (95%) without users’ awareness. That would call more attention to the stakeholders like Google.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Lu L, Li Z, Wu Z, Lee W, Jiang G. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of 2012 ACM Conference on Computer and Communications Security. 2012, 229–240

  2. Rydstedt G, Gourdin B, Bursztein E, Boneh D. Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies. 2010, 1–8

  3. Chen Q A, Qian Z, Mao Z M. Peeking into your app without actually seeing it: UI state inference and novel Android attacks. In: Proceedings of the 23rd USENIX Conference on Security Symposium. 2014, 1037–1052

  4. Wang Z, Li C, Guan Y, Xue Y, Dong Y. ActivityHijacker: hijacking the Android activity component for sensitive data. In: Proceedings of the 25th International Conference on Computer Communication and Networks. 2016, 1–9

  5. Ren C, Zhang Y, Xue H, Wei T, Liu P. Towards discovering and understanding task hijacking in Android. In: Proceedings of the 24th USENIX Conference on Security Symposium. 2015, 945–959

  6. Lee S, Hwang S, Ryu S. All about activity injection: threats, semantics, and detection. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. 2017, 252–262

  7. Ren Y, Li Y, Yuan F, Zhang F. Hijacking activity technology analysis and research in Android system. In: Proceedings of the International Conference on Trustworthy Computing and Services. 2013, 46–53

  8. Xiao Y, Bai G, Mao J, Liang Z, Cheng W. Privilege leakage and information stealing through the Android task mechanism. In: Proceedings of 2017 IEEE Symposium on Privacy-Aware Computing. 2017, 152–163

  9. Yang L, Zhi Y, Wei T, Yu S, Ma J. Inference attack in Android activity based on program fingerprint. Journal of Network and Computer Applications, 2019, 127: 92–106

    Article  Google Scholar 

  10. Luo L, Zeng Q, Cao C, Chen K, Liu J, Liu L, Gao N, Yang M, Xing X, Liu P. System service call-oriented symbolic execution of Android framework with applications to vulnerability discovery and exploit generation. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. 2017, 225–238

  11. Ren C, Liu P, Zhu S. WindowGuard: systematic protection of GUI security in Android. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium. 2017

  12. Liu J, Wu D, Xue J. TDroid: exposing app switching attacks in Android with control flow specialization. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. 2018, 236–247

  13. Liu F, Cai H, Wang G, Yao D, Elish K O, Ryder B G. MR-Droid: a scalable and prioritized analysis of inter-app communication risks. In: Proceedings of 2017 IEEE Security and Privacy Workshops. 2017, 189–198

  14. Yan F, Li Y, Zhang L. ActivityShielder: an activity hijacking defense scheme for Android devices. In: Proceedings of the 27th International Conference on Computer Communication and Networks. 2018, 1–9

  15. Chen S, Fan L, Chen C, Su T, Li W, Liu Y, Xu L. StoryDroid: automated generation of storyboard for android apps. In: Proceedings of the 41st IEEE/ACM International Conference on Software Engineering. 2019, 596–607

  16. Chen T, He J, Song F, Wang G, Wu Z, Yan J. Android stack machine. In: Proceedings of the 30th International Conference on Computer Aided Verification. 2018, 487–504

  17. Bkakria A, Graa M, Cuppens-Boulahia N, Cuppens F, Lanet J L. Realtime detection and reaction to activity hijacking attacks in Android smartphones (short paper). In: Proceedings of the 15th Annual Conference on Privacy, Security and Trust (PST). 2017, 253–258

  18. Li L, Li D, Bissyandé T F, Klein J, Le Traon Y, Lo D, Cavallaro L. Understanding android app piggybacking: a systematic study of malicious code grafting. IEEE Transactions on Information Forensics and Security, 2017, 12(6): 1269–1284

    Article  Google Scholar 

  19. Gao J, Li L, Kong P, Bissyandé T F, Klein J. Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2020, 939–951

  20. Tuncay G S, Qian J, Gunter C A. See no evil: phishing for permissions with false transparency. In: Proceedings of the 29th USENIX Security Symposium. 2020, 415–432

  21. Saltaformaggio B, Bhatia R, Gu Z, Zhang X, Xu D. GUITAR: piecing together android app GUIs from memory images. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015, 120–132

  22. Chen S, Fan L, Chen C, Xue M, Liu Y, Xu L. GUI-Squatting attack: automated generation of Android phishing apps. IEEE Transactions on Dependable and Secure Computing, 2021, 18(6): 2551–2568

    Google Scholar 

  23. Song F, Lei Y, Chen S, Fan L, Liu Y. Advanced evasion attacks and mitigations on practical ML-based phishing website classifiers. International Journal of Intelligent Systems, 2021, 36(9): 5210–5240

    Article  Google Scholar 

  24. Chen S, Su T, Fan L, Meng G, Xue M, Liu Y, Xu L. Are mobile banking apps secure? what can be improved?. In: Proceedings of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2018, 797–802

  25. Song F, Touili T. Model-checking for android malware detection. In: Proceedings of the 12th Asian Symposium on Programming Languages and Systems. 2014, 216–235

  26. Xu Z, Ren K, Song F. Android malware family classification and characterization using CFG and DFG. In: Proceedings of 2019 International Symposium on Theoretical Aspects of Software Engineering. 2019, 49–56

  27. Chen S, Fan L, Meng G, Su T, Xue M, Xue Y, Liu Y, Xu L. An empirical assessment of security risks of global android banking apps. In: Proceedings of the 42nd IEEE/ACM International Conference on Software Engineering. 2020, 1310–1322

  28. Tang C, Chen S, Fan L, Xu L, Liu Y, Tang Z, Dou L. A large-scale empirical study on industrial fake apps. In: Proceedings of the 41st IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice. 2019, 183–192

Download references

Acknowledgements

This work was supported by the National Natural Science Foundation of China (Grant Nos. 62072309 and 6171101225).

Author information

Author notes

  1. These authors contributed equally to this work.

Authors and Affiliations

  1. School of Information Science and Technology, ShanghaiTech University, Shanghai, 201210, China

    Pu Sun, Pengfei Gao & Fu Song

  2. Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences, Shanghai, 200050, China

    Pu Sun

  3. University of Chinese Academy of Sciences, Beijing, 100049, China

    Pu Sun

  4. College of Intelligence and Computing, Tianjin University, Tianjin, 300350, China

    Sen Chen

  5. College of Cyber Science, Nankai University, Tianjin, 300350, China

    Lingling Fan

  6. School of Computer Science, Fudan University, Shanghai, 200438, China

    Min Yang

Authors
  1. Pu Sun
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Sen Chen
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Lingling Fan
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Pengfei Gao
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Fu Song
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Min Yang
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Fu Song.

Additional information

Pu Sun is a PhD student in ShanghaiTech University, China supervised by Prof. Fu Song. He is also with Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences, China; and University of Chinese Academy of Sciences, China. He received the BS degree in Computer Science from Northeastern University, China in 2018. His research interests are in software testing and software security.

Sen Chen is an Associate Professor with the College of Intelligence and Computing, Tianjin University, China. Previously, he was a research assistant professor and postdoctoral research fellow at Cybersecurity Lab, School of Computer Science and Engineering, Nanyang Technological University, Singapore from 2019 to 2020. He received his PhD degree in computer science from East China Normal University, China in 2019. His research focuses on software engineering, security, and data-driven analytics.

Lingling Fan is an Associate Professor with the College of Cyber Science, Nankai University, China. She received her PhD and BS degrees in computer science from East China Normal University, China in 2019 and 2014, respectively. Previously, she was a research assistant professor and postdoctoral research fellow at Cybersecurity Lab, School of Computer Science and Engineering, Nanyang Technological University, Singapore from 2019 to 2020. Her research focuses on program analysis and testing, Android application security analysis and testing.

Pengfei Gao is a PhD student in ShanghaiTech University, China, supervised by Prof. Fu Song. He received the BS degree in Computer Science from China University of Mining and Technology, China in 2017. His research interests are in program analysis and software security.

Fu Song is an Associate Professor (Tenured) with ShanghaiTech University, China. He received the MS degree in Software Engineering from East China Normal University, China in 2009, and the PhD degree in Computer Science from University Paris-Diderot, France in 2013. Previously, he was an Assistant Professor with ShanghaiTech University, China from August 2016 to July 2021, lecturer and associate research professor with East China Normal University, China from August 2013 to July 2016. His research interests are primarily in formal methods and computer security.

Min Yang is a Professor and vice dean with School of Computer Science, Fudan University, China. He received the BS and PhD degrees in computer science from Fudan University, China in 2001 and 2006, respectively. His research interests are primarily in mobile security and privacy, AI security and privacy, and program analysis.

Electronic supplementary material

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sun, P., Chen, S., Fan, L. et al. VenomAttack: automated and adaptive activity hijacking in Android. Front. Comput. Sci. 17, 171801 (2023). https://doi.org/10.1007/s11704-021-1126-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11704-021-1126-x

Keywords