VenomAttack: automated and adaptive activity hijacking in Android

作     者：Pu SUN Sen CHEN Lingling FAN Pengfei GAO Fu SONG Min YANG Pu SUN;Sen CHEN;Lingling FAN;Pengfei GAO;Fu SONG;Min YANG

作者机构：School of Information Science and TechnologyShanghaiTech UniversityShanghai 201210China Shanghai Institute of Microsystem and Information TechnologyChinese Academy of SciencesShanghai 200050China University of Chinese Academy of SciencesBeijing 100049China College of Intelligence and ComputingTianjin UniversityTianjin 300350China College of Cyber ScienceNankai UniversityTianjin 300350China School of Computer ScienceFudan UniversityShanghai 200438China 

出 版 物：《Frontiers of Computer Science》 (中国计算机科学前沿（英文版）)

年 卷 期：2023年第17卷第1期

页      面：187-204页

核心收录：

学科分类：12[管理学] 1201[管理学-管理科学与工程(可授管理学、工学学位)] 08[工学] 081201[工学-计算机系统结构] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：supported by the National Natural Science Foundation of China (Grant Nos. 62072309 and 6171101225) 

主　　题：Android activity hijacking Android security mobile security 

摘      要：Activity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android due to the presence of effective defense mechanisms. In this work, we propose the first automated and adaptive activity hijacking attack, named VenomAttack, enabling a spectrum of customized attacks (e.g., phishing, spoofing, and DoS) on a large scale in recent Android, even the state-of-the-art defense mechanisms are deployed. Specifically, we propose to use hotpatch techniques to identify vulnerable devices and update attack payload without re-installation and re-distribution, hence bypassing offline detection. We present a newly-discovered flaw in Android and a bug in derivatives of Android, each of which allows us to check if a target app is running in the background or not, by which we can determine the right attack timing via a designed transparent activity. We also propose an automated fake activity generation approach, allowing large-scale attacks. Requiring only the common permission INTERNET, we can hijack activities at the right timing without destroying the GUI integrity of the foreground app. We conduct proof-of-concept attacks, showing that VenomAttack poses severe security risks on recent Android versions. The user study demonstrates the effectiveness of VenomAttack in real-world scenarios, achieving a high success rate (95%) without users’ awareness. That would call more attention to the stakeholders like Google.