Presented at
Black Hat USA 2017,
July 27, 2017, 5 p.m.
(60 minutes)
While both the SYSTEM_ALERT_WINDOW and the BIND_ACCESSIBILITY_SERVICE Android permissions have been abused individually (e.g., in UI redressing attacks, accessibility attacks), previous attacks based on these permissions failed to completely control the UI feedback loop and thus either rely on vanishing side-channels to time the appearance of overlay UI, cannot respond properly to user input, or make the attacks literally visible. In this work, we demonstrate how combining the capabilities of these permissions leads to complete control of the UI feedback loop and creates devastating and stealthy attacks. In particular, we demonstrate how an app with these two permissions can launch a variety of stealthy, powerful attacks, ranging from stealing user's login credentials and security PIN, to the silent installation of a God-like app with all permissions enabled. To make things even worse, we note that when installing an app targeting a recent Android SDK, the list of its required permissions is not shown to the user and that these attacks can be carried out without needing to lure the user to knowingly enable any permission, thus leaving him completely unsuspecting. In fact, we found that the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and, even though the BIND_ACCESSIBILITY_SERVICE is not automatically granted, our experiment shows that it is very easy to lure users to unknowingly grant that permission by abusing capabilities from the SYSTEM_ALERT_WINDOW permission. We also found that it is straightforward to get a proof-of-concept app requiring both permissions accepted on the official store. We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We conclude with a number of observations and best-practices that Google and developers can adopt to secure the Android GUI.
Presenters:
-
Yanick Fratantonio
- PhD Candidate, University of California, Santa Barbara
Yanick Fratantonio is a PhD candidate in Computer Science at the University of California, Santa Barbara, and he is soon going to join EURECOM as an Assistant Professor. His research focuses on mobile systems security and privacy. In particular, his work aims at keeping users of mobile devices safe, and it spans different areas of mobile security, such as malware detection, vulnerability analysis, characterization of emerging threats, and the development of novel practical protection mechanisms. In his free time, he enjoys playing and organizing Capture The Flag competitions with the Shellphish hacking team. He is @reyammer on twitter.
-
Wenke Lee
- Professor, Georgia Institute of Technology
Wenke Lee is a Professor of Computer Science and John P. Imlay Jr. Chair, and the Co-Director of the Institute for Information Security & Privacy (IISP) at Georgia Tech. He received his Ph.D. in Computer Science from Columbia University in 1999. His research interests include systems and network security, applied cryptography, and machine learning.
-
Simon Pak Ho Chung
- Research Scientist, Georgia Institute of Technology
Simon Pak Ho Chung is a research scientist at the Institute for Information Security & Privacy (IISP) at the Georgia Institute of Technology. His research interests include security of mobile platforms, malware analysis and basic system security research, and he is interested in both attacks and defense. He's part of the research teams that created the Jekyll and the Mactans attacks on iOS devices.
-
Chenxiong Qian
- PhD Student, Georgia Institute of Technology
Chenxiong Qian is a third-year Ph.D. student in the School of Computer Science at Georgia Tech, advised by Prof. Wenke Lee and Prof. Bill Harris. Chenxiong studies system security and privacy. He is particularly interested in using program analysis to solve system security and privacy problems.
Links:
Similar Presentations: