Please wait a minute...
Shopping Cart Email List Chinese
Advanced Search Fig/Tab
Frontiers of Computer Science

ISSN 2095-2228

ISSN 2095-2236(Online)

CN 10-1014/TP

Postal Subscription Code 80-970

2018 Impact Factor: 1.129

Featured Articles  |  Most Downloaded  |  Most Reading
Online Submission Subscribe to Our RSS Content Feed
Front. Comput. Sci.    2023, Vol. 17 Issue (1) : 171801    https://doi.org/10.1007/s11704-021-1126-x
RESEARCH ARTICLE
VenomAttack: automated and adaptive activity hijacking in Android
Pu SUN1,2,3, Sen CHEN4, Lingling FAN5, Pengfei GAO1, Fu SONG1(), Min YANG6
1. School of Information Science and Technology, ShanghaiTech University, Shanghai 201210, China
2. Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences, Shanghai 200050, China
3. University of Chinese Academy of Sciences, Beijing 100049, China
4. College of Intelligence and Computing, Tianjin University, Tianjin 300350, China
5. College of Cyber Science, Nankai University, Tianjin 300350, China
6. School of Computer Science, Fudan University, Shanghai 200438, China
 Download: PDF(4539 KB)   HTML
 Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks
Abstract

Activity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android due to the presence of effective defense mechanisms. In this work, we propose the first automated and adaptive activity hijacking attack, named VenomAttack, enabling a spectrum of customized attacks (e.g., phishing, spoofing, and DoS) on a large scale in recent Android, even the state-of-the-art defense mechanisms are deployed. Specifically, we propose to use hotpatch techniques to identify vulnerable devices and update attack payload without re-installation and re-distribution, hence bypassing offline detection. We present a newly-discovered flaw in Android and a bug in derivatives of Android, each of which allows us to check if a target app is running in the background or not, by which we can determine the right attack timing via a designed transparent activity. We also propose an automated fake activity generation approach, allowing large-scale attacks. Requiring only the common permission INTERNET, we can hijack activities at the right timing without destroying the GUI integrity of the foreground app. We conduct proof-of-concept attacks, showing that VenomAttack poses severe security risks on recent Android versions. The user study demonstrates the effectiveness of VenomAttack in real-world scenarios, achieving a high success rate (95%) without users’ awareness. That would call more attention to the stakeholders like Google.
Keywords Android      activity hijacking      Android security      mobile security     
Corresponding Author(s): Fu SONG   
Just Accepted Date: 23 August 2021   Issue Date: 01 March 2022
 Cite this article:   
Pu SUN,Sen CHEN,Lingling FAN, et al. VenomAttack: automated and adaptive activity hijacking in Android[J]. Front. Comput. Sci., 2023, 17(1): 171801.
 URL:  
https://academic.hep.com.cn/fcs/EN/10.1007/s11704-021-1126-x
https://academic.hep.com.cn/fcs/EN/Y2023/V17/I1/171801
Fig.1  Attack scheme of activity hijacking. (a) The benign app is opened by the user; (b) instead of seeing the benign app, the malware is displayed on the user’s screen; (c) the adversary controls the malware
Fig.2  VenomAttack scheme
Fig.3  Workflow of VenomAttack
Fig.4  Illustrating example of VenomAttack. (a)–(d) show the GUIs from the user’s perspective, where the top GUI is in the foreground and the rest are in the background. (1)–(4) show the status of the corresponding task stacks
Fig.5  Lifecycle of the transparent activity
Fig.6  Layout of GUIs. (a) is the interface seen by the user and (b) is layout of GUIs
Fig.7  Workflow of automated fake activity generation
App Category Apkpure Hotpatch Framework Xiaomi App Store Hotpatch Framework Ali App Distribution Platform Hotpatch Framework Huawei App Gallery Hotpatch Framework Google Play Hotpatch Framework
Social Wechat Tinker Wechat Tinker Wechat Tinker Wechat Tinker Josh ?
Momo ? Momo Tinker Momo Tinker Momo Tinker Investing ?
Tantan Tinker Tantan Tinker Tantan Tinker Tantan Tinker Tantan ?
Weico Robust Weico Robust Weico Robust Weico Robust Weico ?
Amazon Alexa ? QQ ? QQ ? QQ ? QQ ?
Facebook ? Zhihu Tinker Zhihu Tinker Zhihu Tinker Tinder ?
LINELite ? Soul ? momobeidanci ? Soul ? Soul ?
Xiaohongshu Tinker KFC ? Voov Meeting Tinker Xiaohongshu Tinker Xiaohongshu ?
YouTube ? Game Helper Tinker Zhenai ? Zhenai ? YouTube ?
Netflix ? Baidu Tieba ? Toutiao Robust Toutiao ? Toutiao ?
Audio and Video iQIYI Dexposed iQIYI Tinker iQIYI Tinker iQIYI Tinker iQIYI ?
TinkerLite ? Youku Nuwa Youku Nuwa Youku Nuwa Youku ?
Tiktok Dexposed Tiktok Robust Tiktok Robust Tiktok Robust Gmail ?
WeTV ? QQLive ? QQLive ? QQLive ? DiDi ?
Instagram ? QQMusic Tinker QQMusic Tinker QQMusic Tinker Instagram ?
Yahoo Weather ? Bilibili Tinker Bilibili Tinker Bilibili Tinker Bilibili ?
WhatsApp Messenger ? Kwai Extreme Tinker Watermelonvideo Dexposed Watermelonvideo Dexposed WhatsApp Messenger ?
Weread Hotfix NeteaseCloudMusic Tinker NeteaseCloudMusic Tinke Douyu ? Twitch ?
Ctrip Hotfix Kugou Music Tinker Noad ? Ctrip Hotfix Moj ?
Twitter ? Kwai Tinker Jianying Robust Kwai Tinker Twitter ?
Tools Dianping Robust Dianping Robust Dianping Robust Dianping Robust Dianping Robust
Amap ? Dingdong ? Amap ? Amap ? Amap ?
MiHome Tinker Mi Home Tinker QQ Browser Tinker QQ Browser Tinker U-Mobile ?
Urban Company ? Anjuke Tinker UC Browser Tinker UC Browser Tinker UC Browser ?
Baidu Map ? Lianjia Robust Wesing Tinker Oasis ? Uber ?
McDonald ? Meituan Robust Thuner ? Thuner ? Meituan Robust
FamilyMart ? Meituan Takeout Robust Meituan Takeout Robust HMS Core ? Zoom ?
Pinterest ? Eleme Hotfix Eleme Hotfix Dragonfly FM Tinker Pinterest ?
QQMail ? 58.com Hotfix Traffic Control12123 ? 58.com Hotfix QQMail ?
Google Map ? Douban ? Homework Group ? Yidui Tinker Douban ?
Financial Alipay Andfix Alipay Andfix Alipay Andfix Alipay Andfix Alipay ?
Open Point ? Jingdong Finance Tinker Jingdong Finance Tinker Jingdong Finance Tinker PhonePe ?
Investing ? BOC ? BOC ? BOC ? Paytm ?
HuobiGlobal Tinker CMBC ? Ding Talk ? CMBC ? HuobiGlobal Tinker
Yahoo Finance ? UnionPay Tinker UnionPay Tinker WPS ? UnionPay ?
Qunar Hotfix PSBC ? PSBC ? Qunar Hotfix Qunar ?
Amazon Shopping ? ICBC ? Baidu ? Baidu ? eBay ?
Google Pay ? ABC ? Himalaya Tinker Himalaya Tinker YONO SBI ?
MoneyBack ? CCB ? Huya Tinker Tiantian Fund ? Mercado Libre ?
PayPal ? Wopay ? Baidu Map ? Douyin Robust Baidu Map ?
Shopping Taobao ? Taobao ? Taobao ? Taobao ? Taobao ?
Jingdong ? Jingdong Tinker Jingdong Tinker Jingdong Tinker Jingdong Hotfix
Tmall ? Tmall ? Tmall ? Tmall ? Tmall ?
Pixiv ? Pinduoduo Tinker Pinduoduo Tinker Pinduoduo Tinker Pinduoduo Tinker
MangoMall ? Alibaba ? Alibaba ? Pingan Securities ? Alibaba ?
Fliggy ? Zhuanzhuan Tinker Baihe ? Fliggy ? Fliggy ?
HKTVmall ? Dewu Robust Suning Robust Suning Robust Wish ?
HongKongMovies ? CR Vanguard ? Dangdang Robust Dangdang Robust SHEIN ?
YuuReward ? VIPshop Holdings ? Amazon Shopping ? VIPshop Holdings ? Flipkart ?
ViuTV ? Idlefish ? Idlefish ? BoCom Dexposed Lazada ?
Tab.1  Hotpatch frameworks in apps in five Android app markets
Android device Android version API level Result of compatibility Result of flaw Result of bug
Google Pixel 2 Android 7 24 Succeeded Succeeded Failed
Google Pixel 2 Android 7.1 25 Succeeded Succeeded Failed
Google Pixel 2 Android 8 26 Succeeded Succeeded Failed
Google Pixel 2 Android 8.1 27 Succeeded Succeeded Failed
Google Pixel 2 Android 9 28 Succeeded Succeeded Failed
Google Pixel 2 Android 10 29 Succeeded Succeeded Failed
HUAWEI Nova5 Pro EMUI 9.1.1 28 Succeeded Succeeded Succeeded
HUAWEI Nova5 Pro EMUI 10.1.0 29 Succeeded Succeeded Succeeded
HUAWEI HONOR 30S Magic UI 3.1.1 29 Succeeded Succeeded Succeeded
Xiaomi Redmi10X Pro MIUI 11.0.5 29 Succeeded Succeeded Succeeded
Xiaomi Redmi K30 MIUI 11.0.15 29 Succeeded Succeeded Succeeded
Tab.2  Results of compatibility and running status collection
No. App name Cosine similarity Structural similarity Generation time/s
1 Alipay 1.0000 0.9950 2.56
2 AASTOCKS 1.0000 0.9984 2.76
3 AvaTradeGO 0.9989 0.9925 3.07
4 Bank of China 1.0000 0.9922 2.55
5 Bendigo Bank 1.0000 0.9995 2.56
6 BoC Pay 1.0000 0.9935 2.78
7 CMC Markets 0.9941 0.9889 3.05
8 CNBC 1.0000 0.9886 2.58
9 CommSec 0.9999 0.9907 2.54
10 Crypto 1.0000 0.9949 2.56
11 FCMB 1.0000 0.9946 2.59
12 HANGSENG BANK 1.0000 0.9998 2.58
13 HMRC 1.0000 0.9974 2.72
14 WireBarley 1.0000 0.9934 2.58
15 Inversting 1.0000 0.9949 2.54
16 Nexo Wallet 1.0000 0.9983 2.62
17 Plus500 1.0000 0.9969 2.62
18 Remitly 1.0000 0.9926 2.67
19 ShopBack 1.0000 0.9947 2.57
20 StockMarkets 1.0000 0.9922 2.60
21 Tiger Trade 0.9998 0.9889 2.60
22 TradingView 1.0000 0.9898 2.60
23 TransferWise 1.0000 0.9929 2.68
24 Wallet 1.0000 0.9912 2.59
25 REMIT 1.0000 0.9934 2.65
26 Facebook 1.0000 0.9909 2.72
27 Hago 1.0000 0.9969 2.56
28 Hello Yo 1.0000 0.9958 2.59
29 Houseparty 1.0000 0.9905 2.56
30 Jaumo 1.0000 0.9990 2.54
31 Josh 1.0000 0.9996 2.66
32 LivU 1.0000 0.9971 2.55
33 MeetMe 1.0000 0.9933 2.66
34 Mico 1.0000 0.9982 2.56
35 QQ 1.0000 0.9933 2.59
36 Roposo 1.0000 0.9955 3.28
37 SKOUT 1.0000 0.9975 2.91
38 Tagged 1.0000 0.9943 2.59
39 TANTAN 1.0000 0.9947 2.57
40 Telegram X 0.9999 0.9962 2.54
41 TikTok 1.0000 0.9928 2.61
42 Tumblr 1.0000 0.9965 2.91
43 Twitter 1.0000 0.9959 2.57
44 Viber 1.0000 0.9959 2.63
45 VidStatus 1.0000 0.9960 2.58
46 WeChat 1.0000 0.9869 2.58
47 Weico 1.0000 0.9865 2.62
48 WhatsApp 1.0000 0.9979 2.56
49 WhosHere 1.0000 0.9994 2.55
50 Xiaohongshu 1.0000 0.9909 2.61
Tab.3  Results of fake UI generation
Fig.8  Comparison of original UIs and fake UIs. (a) Original; (b) fake; (c) original; (d) fake; (e) original; (f) fake; (g) original; (h) fake; (i) original; (j) fake; (k) original; (l) fake
Defense Offline analysis methods Android design restrictions Real-time detection methods
Lee et al. [6] TICK [8] Centaur [10] MR-Droid [13] TDroid [12] Window-guard [11] Activity-shielder [14] Activity hijacking protector [17]
Attacks Attack in [7] ?
Activity hijacking [3]
Task hijacking [5] ? ? ? ? Unknown ?
Activity-Hijacker [4] ?
Information stealing attack [8] ?
Activity injection [6]
Activity hijacking [9]
Stranghogg 2.0 Unknown Unknown Unknown Unknown ? ?
VenomAttack
Tab.4  Results of bypassing state-of-the-art defense mechanisms
No. Question Options
Question-1 Do you think the financial apps provide more functionalities after login? Yes or No
Question-2 Based on your past experience, is it common to re-login after app switching? Yes or No
Question-3 Are you aware any attacks during the study? Yes or No
Question-4 If yes, when do you think attacks occur?
Question-5 If yes, what makes you aware of the attacks?
Tab.5  Questionnaire of the user study
Fig.9  
Fig.10  Results of question-1 (a) and question-2 (b) in Table 5
Fig.11  
Android device Android version API level Init time /ms Back to background time/ms
HUAWEI Nova5 Pro EMUI 10.1.0 29 6 5
HUAWEI HONOR 30S Magic UI 3.1.1 29 7 6
Xiaomi MI 9 MIUI 12.0.3 29 8 4
Xiaomi Redmi10X Pro MIUI 11.0.5 29 7 3
Xiaomi Redmi K30 MIUI 12.0.5 29 17 7
OPPO Realme X ColorOS V7 29 14 9
Tab.6  Time cost of loading the transparent activity
Fig.12  
  
  
  
  
  
  
1 L Lu, Z Li, Z Wu, W Lee, G Jiang. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of 2012 ACM Conference on Computer and Communications Security. 2012, 229–240
2 G Rydstedt, B Gourdin, E Bursztein, D Boneh. Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies. 2010, 1–8
3 Q A Chen, Z Qian, Z M Mao. Peeking into your app without actually seeing it: UI state inference and novel Android attacks. In: Proceedings of the 23rd USENIX Conference on Security Symposium. 2014, 1037−1052
4 Z Wang, C Li, Y Guan, Y Xue, Y Dong. ActivityHijacker: hijacking the Android activity component for sensitive data. In: Proceedings of the 25th International Conference on Computer Communication and Networks. 2016, 1–9
5 C Ren, Y Zhang, H Xue, T Wei, P Liu. Towards discovering and understanding task hijacking in Android. In: Proceedings of the 24th USENIX Conference on Security Symposium. 2015, 945–959
6 S Lee, S Hwang, S Ryu. All about activity injection: threats, semantics, and detection. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. 2017, 252–262
7 Y Ren, Y Li, F Yuan, F Zhang. Hijacking activity technology analysis and research in Android system. In: Proceedings of the International Conference on Trustworthy Computing and Services. 2013, 46–53
8 Y Xiao, G Bai, J Mao, Z Liang, W Cheng. Privilege leakage and information stealing through the Android task mechanism. In: Proceedings of 2017 IEEE Symposium on Privacy-Aware Computing. 2017, 152–163
9 L Yang , Y Zhi , T Wei , S Yu , J Ma . Inference attack in Android activity based on program fingerprint. Journal of Network and Computer Applications, 2019, 127 : 92– 106
10 L Luo, Q Zeng, C Cao, K Chen, J Liu, L Liu, N Gao, M Yang, X Xing, P Liu. System service call-oriented symbolic execution of Android framework with applications to vulnerability discovery and exploit generation. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. 2017, 225–238
11 C Ren, P Liu, S Zhu. WindowGuard: systematic protection of GUI security in Android. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium. 2017
12 J Liu, D Wu, J Xue. TDroid: exposing app switching attacks in Android with control flow specialization. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. 2018, 236–247
13 F Liu, H Cai, G Wang, D Yao, K O Elish, B G Ryder. MR-Droid: a scalable and prioritized analysis of inter-app communication risks. In: Proceedings of 2017 IEEE Security and Privacy Workshops. 2017, 189–198
14 F Yan, Y Li, L Zhang. ActivityShielder: an activity hijacking defense scheme for Android devices. In: Proceedings of the 27th International Conference on Computer Communication and Networks. 2018, 1–9
15 Chen S, Fan L, Chen C, Su T, Li W, Liu Y, Xu L. StoryDroid: automated generation of storyboard for android apps . In: Proceedings of the 41st IEEE/ACM International Conference on Software Engineering. 2019, 596–607
16 T Chen, J He, F Song, G Wang, Z Wu, J Yan. Android stack machine. In: Proceedings of the 30th International Conference on Computer Aided Verification. 2018, 487–504
17 A Bkakria, M Graa, N Cuppens-Boulahia, F Cuppens, J L Lanet. Real-time detection and reaction to activity hijacking attacks in Android smartphones (short paper). In: Proceedings of the 15th Annual Conference on Privacy, Security and Trust (PST). 2017, 253–258
18 L Li , D Li , T F Bissyandé , J Klein , Traon Y Le , D Lo , L Cavallaro . Understanding android app piggybacking: a systematic study of malicious code grafting. IEEE Transactions on Information Forensics and Security, 2017, 12( 6): 1269– 1284
19 J Gao, L Li, P Kong, T F Bissyandé, J Klein. Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2020, 939−951
20 G S Tuncay, J Qian, C A Gunter. See no evil: phishing for permissions with false transparency. In: Proceedings of the 29th USENIX Security Symposium. 2020, 415−432
21 B Saltaformaggio, R Bhatia, Z Gu, X Zhang, D Xu. GUITAR: piecing together android app GUIs from memory images. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015, 120−132
22 S Chen , L Fan , C Chen , M Xue , Y Liu , L Xu . GUI-Squatting attack: automated generation of Android phishing apps. IEEE Transactions on Dependable and Secure Computing, 2021, 18( 6): 2551– 2568
23 F Song , Y Lei , S Chen , L Fan , Y Liu . Advanced evasion attacks and mitigations on practical ML-based phishing website classifiers. International Journal of Intelligent Systems, 2021, 36( 9): 5210– 5240
24 S Chen, T Su, L Fan, G Meng, M Xue, Y Liu, L Xu. Are mobile banking apps secure? what can be improved?. In: Proceedings of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2018, 797−802
25 F Song, T Touili. Model-checking for android malware detection. In: Proceedings of the 12th Asian Symposium on Programming Languages and Systems. 2014, 216−235
26 Z Xu, K Ren, F Song. Android malware family classification and characterization using CFG and DFG. In: Proceedings of 2019 International Symposium on Theoretical Aspects of Software Engineering. 2019, 49−56
27 Chen S, Fan L, Meng G, Su T, Xue M, Xue Y, Liu Y, Xu L. An empirical assessment of security risks of global android banking apps. In: Proceedings of the 42nd IEEE/ACM International Conference on Software Engineering. 2020, 1310−1322
28 Tang C, Chen S, Fan L, Xu L, Liu Y, Tang Z, Dou L. A large-scale empirical study on industrial fake apps. In: Proceedings of the 41st IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice. 2019, 183−192
[1] Yuxia SUN, Jiefeng FANG, Yanjia CHEN, Yepang LIU, Zhao CHEN, Song GUO, Xinkai CHEN, Ziyuan TAN. Energy inefficiency diagnosis for Android applications: a literature review[J]. Front. Comput. Sci., 2023, 17(1): 171201-.
[2] Tianyong WU, Xi DENG, Jun YAN, Jian ZHANG. Analyses for specific defects in Android applications: a survey[J]. Front. Comput. Sci., 2019, 13(6): 1210-1227.
[3] Nannan XIE, Xing WANG, Wei WANG, Jiqiang LIU. Fingerprinting Android malware families[J]. Front. Comput. Sci., 2019, 13(3): 637-646.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed