Andrea Possemato (IDEMIA and EURECOM), Dario Nisi (EURECOM), Yanick Fratantonio (EURECOM and Cisco Talos)

In the realm of the Android ecosystem, one relevant threat is posed by phishing attacks. Phishing attacks are particularly problematic for mobile platforms because they do not provide enough information for a user to reliably distinguish a legitimate app from a malicious app spoofing the UI of the legitimate one. A key factor that determines the success rate of a phishing attack is proper timing: The user is more prone to provide sensitive data (such as her passwords) if the malicious spoofed UI appears when the victim expects to interact with the target app. On Android, malware determines the right timing by mounting so-called state inference attacks, which can be used, for example, to infer the exact moment that the user started a target app and thus expects to interact with it. Even though Android app sandbox is designed to prevent these attacks, they are still possible by abusing vulnerable APIs that leak such sensitive information: the usual scenario is a malicious app that "polls" these vulnerable APIs, infers when a target app is about to be used by the user, and makes the spoofed UI appear on top of the screen at the right time. All previous bugs of this kind have been fixed in the latest version of Android.

This paper presents two main research contributions related to preventing and detecting state inference attacks. First, we discuss the design and implementation of a new vulnerability detection system, which specifically aims at identifying new vulnerabilities that can be used to mount state inference attacks. Our approach relies on both static and dynamic analysis techniques and it identified 18 previously unknown bugs (leading to 6 CVE) in the latest versions of Android.

Second, we present a new on-device analysis system able to detect exploitation attempts of vulnerable resources and APIs. This system is based on the key hypothesis that mere "polling behaviors" can be used as a strong signal of a potential attack, independently of other factors (that previous works rely on). We performed an empirical analysis over a corpus of benign and malicious apps, and we find that this hypothesis is indeed correct. This approach has the advantage of being able to detect exploitation attempts even when the abused API is not known to be vulnerable in advance. We implemented this system as an Android framework modification, and we show it incurs a negligible overhead.

View More Papers

Screen Gleaning: A Screen Reading TEMPEST Attack on Mobile...

Zhuoran Liu (Radboud university), Niels Samwel (Radboud University), Léo Weissbart (Radboud University), Zhengyu Zhao (Radboud University), Dirk Lauret (Radboud University), Lejla Batina (Radboud University), Martha Larson (Radboud University)

Read More

Zoom on the Keystrokes: Exploiting Video Calls for Keystroke...

Mohd Sabra (University of Texas at San Antonio), Anindya Maiti (University of Oklahoma), Murtuza Jadliwala (University of Texas at San Antonio)

Read More

A Formal Analysis of the FIDO UAF Protocol

Haonan Feng (Beijing University of Posts and Telecommunications), Hui Li (Beijing University of Posts and Telecommunications), Xuesong Pan (Beijing University of Posts and Telecommunications), Ziming Zhao (University at Buffalo)

Read More

Panel – Experiment Artifact Sharing: Challenges and Solutions

Moderator: Laura Tinnel (SRI International) Panelists: Clémentine Maurice (CNRS, IRIS); Martin Rosso (Eindhoven University of Technology); Eric Eide (U. Utah)

Read More