Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Tongxin Li,Xueqiang Wang,Mingming Zha,Kai Chen,XiaoFeng Wang,Luyi Xing,Xiaolong Bai,Nan Zhang,Xinhui Han

DOI: https://doi.org/10.1145/3133956.3134021

2017-01-01

Abstract:As a critical feature for enhancing user experience, cross-app URL invocation has been reported to cause unauthorized execution of app components. Although protection has already been put in place, little has been done to understand the security risks of navigating an app's WebView through an URL, a legitimate need for displaying the app's UI during cross-app interactions. In our research, we found that the current design of such cross-WebView navigation actually opens the door to a cross-app remote infection, allowing a remote adversary to spread malicious web content across different apps' WebView instances and acquire stealthy and persistent control of these apps. This new threat, dubbed Cross-App WebView Infection (XAWI), enables a series of multi-app, colluding attacks never thought before, with significant real world impacts. Particularly, we found that the remote adversary can collectively utilize multiple infected apps' individual capabilities to escalate his privileges on a mobile device or orchestrate a highly realistic remote Phishing attack (e.g., running a malicious script in Chrome to stealthily change Twitter's WebView to fake Twitter's own login UI). We show that the adversary can easily find such attack "building blocks" (popular apps whose WebViews can be redirected by another app) through an automatic fuzz, and discovered about 7.4% of the most popular apps subject to the XAWI attacks, including Facebook, Twitter, Amazon and others. Our study reveals the contention between the demand for convenient cross-WebView communication and the need for security control on the channel, and makes the first step toward building OS-level protection to safeguard this fast-growing technology.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Yajin Zhou,Zhi Wang,Wu Zhou,Xuxian Jiang

2012-01-01

Abstract:In this paper, we present a systematic study for the detection of malicious applications (or apps) on popular Android Markets. To this end, we first propose a permissionbased behavioral footprinting scheme to detect new samples of known Android malware families. Then we apply a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families. We implemented both schemes in a system called DroidRanger. The experiments with 204, 040 apps collected from five different Android Markets in May-June 2011 reveal 211 malicious ones: 32 from the official Android Market (0.02% infection rate) and 179 from alternative marketplaces (infection rates ranging from 0.20% to 0.47%). Among those malicious apps, our system also uncovered two zero-day malware (in 40 apps): one from the official Android Market and the other from alternative marketplaces. The results show that current marketplaces are functional and relatively healthy. However, there is also a clear need for a rigorous policing process, especially for non-regulated alternative marketplaces.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Yun Ma,Xuanzhe Liu,Ruogu Du,Ziniu Hu,Yi Liu,Meihua Yu,Gang Huang

2016-01-01

Abstract:The mobile application (app) has become the main entrance to access the Internet on handheld devices. Unlike the Web where each webpage has a global URL to reach directly, a specific content of an app can be opened only by exploring the app with several operations from the landing page. The interoperability between apps is quite fixed and thus limits the value-added linked data between apps. Recently, deep link has been proposed to enable targeting and opening a specific page of an app externally with an accessible uniform resource identifier (URI). However, implementing deep link for mobile apps requires a lot of manual efforts by app developers, which can be very error-prone and time-consuming. In this paper, we propose DroidLink to automatically generating deep links for existing Android apps. We design a deep link model suitable for automatic generation. Then we explore the transition of pages and build a navigation graph based on static and dynamic analysis of Android apps. Next, we realize an updating mechanism that keeps on revisiting the target app and discover new pages, and thus generates deep links for every single page of the app. Finally, we repackage the app with deep link supports, but requires no additional deployment requirements. We generate deep links for some popular apps and demonstrate the feasibility of DroidLink.

Rui Shao,Vaibhav Rastogi,Yan Chen,Xiang Pan,Guanyu Guo,Shihong Zou,Ryan Riley

DOI: https://doi.org/10.1109/tmc.2018.2809727

2016-01-01

Abstract:Mobile users are increasingly becoming targets of malware infections and scams. In order to curb such attacks it is important to know how these attacks originate. We take a previously unexplored step in this direction. Numerous in-app advertisements work at this interface: when the user taps on the advertisement, she is led to a web page which may further redirect until the user reaches the final destination. Even though the original applications may not be malicious, the Web destinations that the user visits could play an important role in propagating attacks. We develop a systematic static analysis methodology to find ad libraries embed in applications and dynamic analysis methodology consisting of three components related to triggering web links, detecting malware and scam campaigns, and determining the provenance of such campaigns reaching the user. Our static analysis system identified 242 different ad libraries and dynamic analysis system was deployed for a two-month period and analyzed over 600,000 applications while triggering a total of about 1.5 million links in applications to the Web. We gain a general understanding of attacks through the app-web interface and make several interesting findings including a rogue antivirus scam, free iPad scams, and advertisements propagating SMS trojans.

Yacong Gu,Qi Li,Hongtao Zhang,Purui Su,Xinwen Zhang,Dengguo Feng

DOI: https://doi.org/10.1109/mic.2015.138

IF: 2.68

2016-01-01

IEEE Internet Computing

Abstract:Android provides flexible inter-application communication by exporting the components of one app to others. Each app can define customized permissions to control access from other apps to its exposed components. However, an attacker can easily access the exported components and private app information by evading permission checks in Android. In this article, the authors discuss a new attack called a direct resource hijacking attack (or resource hijacking attack), which directly hijacks exported components or permissions on components owned by a benign app. They find that among the top 230 popular apps, 53 are vulnerable to this attack. To tackle this vulnerability, they propose a fine-grained resource access control framework in Android and introduce a certificate-augmented resource naming mechanism. With this method, malicious apps cant hijack a victim apps permissions to steal its private data in the victim app, or hijack a victim apps components to retrieve data thats delivered to the victim app. The proposal sheds light on a new design of resource protection in Android.

Zhibo Zhang,Zhangyue Zhang,Keke Lian,Guangliang Yang,Lei Zhang,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3605762.3624430

2023-01-01

Abstract:Emerging app-in-app ecosystems (e.g., WeChat) provide a lightweight and efficient WebView-based runtime for mini-apps, which frequently load rich web content from remote servers and access sensitive resources via APIs provided by the super-apps (a.k.a. the app-in-app frameworks). Inspired by the content security policy (CSP), super-apps enforce a domain-based allowlist to prevent mini-apps from loading untrusted and malicious web content. In this paper, we observe that the domain-based allowlist mechanism is unreliable in app-in-app ecosystems because it assumes all web pages under the allowlist domain are trusted. To demonstrate such weakness, we propose a novel attack called Trusted Domain Compromise (TDC) Attack, along with two interesting attack vectors, through which attackers can manipulate unsafe domains or URLs to bypass the allowlist check and launch phishing attack or abuse runtime APIs. Thereafter, we conduct the first empirical study on the TDCAttack in the real-world app-in-app ecosystems. Specifically, we investigate the underlying reasons for the failure of the allowlist mechanism and propose an automated analysis framework for identifying TDCAttacks in real-world mini-apps. Our experiment shows that popular app-in-app ecosystems including WeChat, Alipay, and Baidu are all vulnerable to the TDCAttack. Further, we have identified 26 exploitable real-world mini-apps.

Fangda Cai,Hao Chen,Yuanyi Wu,Yuan Zhang

2014-01-01

Abstract:A fundamental security principle in developing networked applications is end-to-end security, where the confidentiality and integrity of the data transmitted over the network do not rely on the security of the network. In response to the ever increasing traffic from mobile apps, WiFi networks are spreading fast and widely. Since WiFi networks are unregulated, a passive attacker may eavesdrop on the traffic on open WiFi networks, while an active attacker may set up his own WiFi network to modify its traffic at will. In theory, end-to-end security should protect mobile apps from both these attacks; in practice, however, the situation is far less rosy.We examine how the popular, important mobile apps on Chinese Android markets defend themselves against untrusted networks. We select top apps from major categories, such as online shopping, banking, social networks, travel services, and apps from companies with huge market capitalization. We analyze both their code and their network traffic to identify vulnerabilities. We design a mini-language for describing the vulnerabilities and develop a tool, AppCracker, that launches both passive and active attacks on these apps to verify their vulnerabilities. AppCracker has confirmed that 100 apps from 69 companies are vulnerable during their user or session authentication. These vulnerabilities allow an adversary to capture the victim user’s login credentials or to hijack the victim’s session. We describe these diverse types of vulnerabilities, many of which are caused by the misuse of cryptography in their homegrown cryptographic protocols. Finally, we discuss the lessons learned during our investigation to help …

Keke Lian,Lei Zhang,Guangliang Yang,Shuo Mao,Xinjie Wang,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3643730

2024-01-01

Abstract:Nowadays, mobile apps have greatly facilitated our daily work and lives. They are often designed to work closely and interact with each other through app components for data and functionality sharing. The security of app components has been extensively studied and various component attacks have been proposed. Meanwhile, Android system vendors and app developers have introduced a series of defense measures to mitigate these security threats. However, we have discovered that as apps evolve and develop, existing app component defenses have become inadequate to address the emerging security requirements. This latency in adaptation has given rise to the feasibility of cross-layer exploitation, where attackers can indirectly manipulate app internal functionalities by polluting their dependent data. To assess the security risks of cross-layer exploitation in real-world apps, we design and implement a novel vulnerability analysis approach, called CLDroid, which addresses two non-trivial challenges. Our experiments revealed that 1,215 (8.8%) popular apps are potentially vulnerable to cross-layer exploitation, with a total of more than 18 billion installs. We verified that through cross-layer exploitation, an unprivileged app could achieve various severe security consequences, such as arbitrary code execution, click hijacking, content spoofing, and persistent DoS. We ethically reported verified vulnerabilities to the developers, who acknowledged and rewarded us with bug bounties. As a result, 56 CVE IDs have been assigned, with 22 of them rated as ‘critical’ or ‘high’ severity.

Chuangang Ren,Yulong Zhang,Hui Xue,Tao Wei,Peng Liu

2015-01-01

Abstract:Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implication of Android multitasking remains under-investigated. With a systematic study of the complex tasks dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilizing the task hijacking attack surface to implement UI spoofing, denial-of-service and user monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user's activities. We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy. We have notified the Android team about these issues and we discuss possible mitigation techniques in this paper.

Ziyi Zhou,Xing Han,Zeyuan Chen,Yuhong Nan,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1109/dsn53405.2022.00059

2022-01-01

Abstract:A recently emerged cellular network based One-Tap Authentication (OTAuth) scheme allows app users to quickly sign up or log in to their accounts conveniently: Mobile Network Operator (MNO) provided tokens instead of user passwords are used as identity credentials. After conducting a first in-depth security analysis, however, we have revealed several fundamental design flaws among popular OTAuth services, which allow an adversary to easily (1) perform unauthorized login and register new accounts as the victim, (2) illegally obtain identities of victims, and (3) interfere OTAuth services of legitimate apps. To further evaluate the impact of our identified issues, we propose a pipeline that integrates both static and dynamic analysis. We examined 1,025/894 Android/iOS apps, each app holding more than 100 million installations. We confirmed 396/398 Android/iOS apps are affected. Our research systematically reveals the threats against OTAuth services. Finally, we provide suggestions on how to mitigate these threats accordingly.

Jice Wang,Hongqi Wu

DOI: https://doi.org/10.48550/arXiv.1803.05039

2018-03-14

Abstract:Researchers and commercial companies have made a lot of efforts on detecting malware in Android platform. However, a recent malware threat, App collusion, makes malware detection challenging. In App collusion, two or more Apps collaborate to perform malicious actions by communicating with each other, which makes single App analysis insufficient. In this paper, we first introduce Android security mechanism and communication channels used by android Applications. Then we summarize the security vulnerabilities and potential threats introduced by App communication. Finally, we discuss state of art researches and challenges on App collusion detection.

Cryptography and Security

Tao Wei,Yulong Zhang,Hui Xue,Min Zheng,Chuangang Ren,Dawn Song

2014-01-01

Abstract:By 2014, the number of Android users has grown to 1.1 billion and the number of Android devices has reached 1.9 billion [1]. At the same time, enterprises are also embracing Android based Bring Your Own Device (BYOD) solutions. For example, in Intel’s BYOD program, there are over 20,000 Android devices across over 800 combinations of Android versions and hardware configurations [2].Although Google Play has little malware, there are many vulnerabilities in Android apps and the Android system itself. Aggressive ad libraries also leak the user’s private information. By combining altogether, an attacker can conduct more targeted attacks, which we call “Sidewinder Targeted Attacks”. In this paper, we explain the security risks from such attacks, in which an attacker can intercept private information like GPS location uploaded from ad libraries and use that information to precisely locate targeted areas such as a CEO’s office or some specific conference rooms. When the target is identified,“Sidewinder Targeted Attack” exploits popular vulnerabilities in ad libraries, such as Javascript-bindingover-HTTP or dynamic-loading-over-HTTP, etc. It is a well-known challenge for an attacker to call Android services from injected native code which doesn’t have Android application context. We explain how attackers can invoke Android services for tasks such as taking photos, calling phone numbers, sending SMS, reading/writing the clipboard, etc. Furthermore, the attackers can exploit several Android vulnerabilities to get valuable private information or to launch more advanced attacks. Finally, we show that this threat is not only real but also prevalent due to …

Guosheng Xu,Siyi Li,Hao Zhou,Shucen Liu,Yutian Tang,Li,Xiapu Luo,Xusheng Xiao,Guoai Xu,Haoyu Wang

DOI: https://doi.org/10.1145/3485447.3512151

2022-01-01

Abstract:Online content sharing is a widely used feature in Android apps. In this paper, we observe a new Fake-Share attack that adversaries can abuse existing content sharing services to manipulate the displayed source of shared content to bypass the content review of targeted Online Social Apps (OSAs) and induce users to click on the shared fraudulent content. We show that seven popular content-sharing services (including WeChat, AliPay, and KakaoTalk) are vulnerable to such an attack. To detect this kind of attack and explore whether adversaries have leveraged it in the wild, we propose DeFash, a multi-granularity detection tool including static analysis and dynamic verification. The extensive in-the-lab and in-the-wild experiments demonstrate that DeFash is effective in detecting such attacks. We have identified 51 real-world apps involved in Fake-Share attacks. We have further harvested over 24K Sharing Identification Information (SIIs) that can be abused by attackers. It is hence urgent for our community to take actions to detect and mitigate this kind of attack.

Luyi Xing,Xiaolong Bai,Tongxin Li,XiaoFeng Wang,Kai Chen,Xiaojing Liao,Shi-Min Hu,Xinhui Han

DOI: https://doi.org/10.48550/arXiv.1505.06836

2015-05-26

Abstract:On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.

Cryptography and Security

Zhaoguo Wang,Chenglong Li,Yi Guan,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/icccn.2016.7568487

2016-01-01

Abstract:As many malicious apps have been distributed in Android markets, it is urgent to fix the vulnerabilities exploited by these apps and develop effective mitigation methods. In this paper, we identify a common vulnerability in many Android apps. This vulnerability is rooted in an unprotected Android component, called "Activity". Utilizing this vulnerability, a malicious app can stealthily and cannily collect sensitive user data. To better understand this issue, we have built "ActivityHijacker", an app that can detect the right moment to hijack the Activity component and intercept a user's password while it is being inputted in real time. To assess the prevalence of this vulnerability, we further analyzed 8 Android OSs (version 2.x to 5.x) and 22 banking apps collected in January 2016 from various Android markets. Our results show that all these Android OSs and apps are susceptible to the vulnerability; 14 out of 22 banking apps can be hijacked without any prompts. We further present a mitigation mechanism that restricts the Activity component to authorized apps.

Lei Zhang,Zhibo Zhang,Ancong Liu,Yinzhi Cao,Xiaohan Zhang,Yanjun Chen,Yuan Zhang,Guangliang Yang,Min Yang

2022-01-01

Abstract:Mobile applications (apps) often delegate their own functions to other parties, which makes them become a super ecosystem hosting these parties. Therefore, such mobile apps are being called super-apps, and the delegated parties are subsequently called sub-apps, behaving like "app-in-app". Sub-apps not only load (third-party) resources like a normal app, but also have access to the privileged APIs provided by the super-app. This leads to an important research question-determining who can access these privileged APIs. Real-world super-apps, according to our study, adopt three types of identities-namely web domains, sub-app IDs, and capabilities-to determine privileged API access. However, existing identity checks of these three types are often not well designed, leading to a disobey of the least privilege principle. That is, the granted recipient of a privileged API is broader than intended, thus defined as an "identity confusion" in this paper. To the best of our knowledge, no prior works have studied this type of identity confusion vulnerability. In this paper, we perform the first systematic study of identity confusion in real-world app-in-app ecosystems. We find that confusions of the aforementioned three types of identities are widespread among all 47 studied super-apps. More importantly, such confusions lead to severe consequences such as manipulating users' financial accounts and installing malware on a smartphone. We responsibly reported all of our findings to developers of affected super-apps, and helped them to fix their vulnerabilities.

Yun Ma,Ziniu Hu,Yunxin Liu,Tao Xie,Xuanzhe Liu

DOI: https://doi.org/10.1109/icse-c.2017.107

2017-01-01

Abstract:Unlike the Web where each web page has a global URL to reach, a specific "content page" inside a mobile app cannot be opened unless the user explores the app with several operations from the landing page. Recently, deep links have been advocated by major companies to enable targeting and opening a specific page of an app externally with an accessible uniform resource identifier (URI). In this paper, we present an empirical study of deep links over 20,000 Android apps, and find that deep links do not get wide adoption among current Android apps, and non-trivial manual efforts are required for app developers to support deep links. To address such an issue, we propose the Aladdin approach and supporting tool to release deep links to access arbitrary locations of existing apps. We evaluate Aladdin with popular apps and demonstrate its effectiveness and performance.