UI state inference attack – phishing 2.0

Activity hijacking is the mobile version of “phishing attack”. By poping a forged UI under certain circumstances, an attacker could hijack the user’s input flow and stole sensitive information, such as login credentials, payment informations and camera pictures.

Imagine those scenarios:

  • You opened a shopping app, finished purchase and clicked “checkout”. The app jumped to the payment UI. Then you input your credit card information.
  • You opened a email app. To add a new account, you clicked “login” and input your username and password.
  • You opened a banking app. To deposit a check, you clicked the scanning button and the camera presents. You took a photo of the check.

Those scenarios could all be exploited by an attacker. Researchers from UMich and UC Riverside have already proved they can successfully implement such attacks on all versions of Android system.

Here’s the PoC video:

The attack flow is:

      Victim installed and opened a malware.
      The malware launched a background service, monitoring the newly launched activity. E.g. by monitoring the logcat.
      The victim opened an target app. Launched a target activity. E.g. Opened a shopping app and jumped to the payment activity.
      The malware service immediately pops up a phishing activity, which looks totally the same as the original payment activity. The former one poped just on top of the later one.
      The victim mistakingly input the payment information on the fake activity, which will be later sent to the hacker.



Why this attack is tricky?

Hard to detect –
For the user, if the fake activity is deceptive enough, the victim can hardly identify it; For the Antivirus, popping up an activity is legit in Android. Antivirus is good at detecting a technically malicious behavior but not a social engineering deception. A better way of identifying the phishing activity is needed.

No special permission needed for the malware – except the Internet permission to send the data out.

We are working on update the Trustlook Antivirus to mitigate this attack. Our approach is, if any background service pops up an activity, we will warn you “the current UI is opened by [service name]”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s