期刊
2022 IEEE 42ND INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING SYSTEMS (ICDCS 2022)
卷 -, 期 -, 页码 1122-1132出版社
IEEE COMPUTER SOC
DOI: 10.1109/ICDCS54860.2022.00111
关键词
-
类别
资金
- National Key R&D Program of China [2018YFB2100300]
- National Natural Science Foundation of China [62022024, 61972088, 62072103, 62102084, 62072102, 62072098, 61972083]
- US National Science Foundation (NSF) [1931871, 1915780]
- US Department of Energy (DOE) [DEEE0009152]
- Jiangsu Provincial Natural Science Foundation for Excellent Young Scholars [BK20190060]
- Jiangsu Provincial Natural Science Foundation of China [BK20190340]
- Jiangsu Provincial Key Laboratory of Network and Information Security Grant [BM2003201]
- Key Laboratory of Computer Network and Information Integration of Ministry of Education of China [93K-9]
- Collaborative Innovation Center of Novel Software Technology and Industrialization
We have discovered that seemingly harmless animations widely used in Android can pose significant threats to the security and privacy of users. Both entrance and exit animations can be exploited to launch various attacks, such as the draw-and-destroy overlay attack and the draw-and-destroy toast attack. These attacks can be used to intercept user inputs stealthily and exploit the slow-in and fade-out animations to suppress alerts and hide malicious activities.
We find that seemingly innocuous animations widely used in Android can pose great threats to user security and privacy. Both entrance and exit animations can be exploited. In our draw-and-destroy overlay attack, a malicious app periodically draws and destroys transparent UI-intercepting overlays, which can be put over victim apps to intercept user inputs stealthily. Although Android is patched to show alerts if there is an overlay over an app, quickly drawing and destroying malicious overlays can exploit the slow-in animation of the notification alert view and suppress the alert. In our draw-and-destroy toast attack, a malicious app periodically creates a new customized toast over a victim app before the previously customized toast disappears. This attack exploits the fade-out animation of the toast so that transition between two successive toasts cannot be observed. The two draw-and-destroy attacks can be building blocks of other attacks. We particularly study the password-stealing attack given its severe consequence, in which the draw-and-destroy toast attack displays a fake keyboard over the original keyboard and the draw-and-destroy overlay attack places transparent overlays over the fake keyboard to intercept user inputs. Extensive real-world experiments are conducted to validate the feasibility and effectiveness of the attacks. We also discuss defense measures mitigating the attacks. We are the first to discover the security implications of animation on Android security.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据