As text-based passwords continue to be the dominant form for user identi cation today, services try to protect their costumers by o ering enhanced, and more secure, technologies for authentication. One of the most promising is two-factor authentication (2FA). 2FA raises the bar for the attacker signi cantly, however, it is still questionable if the technology can be realistically adopted by the majority of Internet users. In this paper, we attempt a rst study for quantifying the adoption of 2FA in probably the largest existing provider, namely Google. For achieving this, we leverage the password-reminder process in a novel way for discovering if 2FA is enabled for a particular account, without annoying or affecting the account's owner. Our technique has many challenges to overcome, since it requires issuing massively thousands of password reminders. In order to remain below the radar, and therefore avoid solving CAPTCHAs or having our hosts blocked, we leverage distributed systems, such as TOR and PlanetLab. After examining over 100,000 Google accounts, we conclude that 2FA has not yet been adopted by more than 6.4% of the users. Last but not least, as a side-e ect of our technique, we are also able to ex ltrate private information, which can be potentially used for malicious purposes. Thus, in this paper we additionally present important ndings for raising concerns about privacy risks in designing password reminders.
Antivirus companies, mobile application marketplaces, and the security research community, employ techniques based on dynamic code analysis to detect and analyze mobile malware. In this paper, we present a broad range of anti-analysis techniques that malware can employ to evade dynamic analysis in emulated Android environments. Our detection heuristics span three different categories based on (i) static properties, (ii) dynamic sensor information, and (iii) VM-related intricacies of the Android Emulator. To assess the effectiveness of our techniques, we incorporated them in real malware samples and submitted them to publicly available Android dynamic analysis systems, with alarming results. We found all tools and services to be vulnerable to most of our evasion techniques. Even trivial techniques, such as checking the value of the IMEI, are enough to evade some of the existing dynamic analysis frameworks. We propose possible countermeasures to improve the resistance of current dynamic analysis tools against evasion attempts.
Social networking is one of the most popular Internet activities with millions of members from around the world. However, users are unaware of the privacy risks involved. Even if they protect their private information, their name is enough to be used for malicious purposes. In this paper we demonstrate and evaluate how names extracted from social networks can be used to harvest email addresses as a first step for personalized phishing campaigns. Our blind harvesting technique uses names collected from the Facebook and Twitter networks as query terms for the Google search engine, and was able to harvest almost 9 million unique email addresses. We compare our technique with other harvesting methodologies, such as crawling the World Wide Web and dictionary attacks, and show that our approach is more scalable and efficient than the other techniques. We also present three targeted harvesting techniques that aim to collect email addresses coupled with personal information for the creation of personalized phishing emails. By using information available in Twitter to narrow down the search space and, by utilizing the Facebook email search functionality, we are able to successfully map 43.4% of the user profiles to their actual email address. Furthermore, we harvest profiles from Google Buzz, 40% of whom provide a direct mapping to valid Gmail addresses.
Mobile applications (apps) have been gaining popularity due to the advances in mobile technologies and the large increase in the number of mobile users. Consequently, several app distribution platforms, which provide a new way for developing, downloading, and updating software applications in modern mobile devices, have recently emerged. To better understand the download patterns, popularity trends, and development strategies in this rapidly evolving mobile app ecosystem, we systematically monitored and analyzed four popular third-party Android app marketplaces. Our study focuses on measuring, analyzing, and modeling the app popularity distribution and explores how pricing and revenue strategies affect app popularity and developers’ income. Our results indicate that unlike web and peer-to-peer file sharing workloads, the app popularity distribution deviates from commonly observed Zipf-like models. We verify that these deviations can be mainly attributed to a new download pattern, which we refer to as the clustering effect . We validate the existence of this effect by revealing a strong temporal affinity of user downloads to app categories. Based on these observations, we propose a new formal clustering model for the distribution of app downloads and demonstrate that it closely fits measured data. Moreover, we observe that paid apps follow a different popularity distribution than free apps and show how free apps with an ad-based revenue strategy may result in higher financial benefits than paid apps. We believe that this study can be useful to appstore designers for improving content delivery and recommendation systems, as well as to app developers for selecting proper pricing policies to increase their income.
Mobile applications (apps) have been gaining rising popularity due to the advances in mobile technologies and the large increase in the number of mobile users. Consequently, several app distribution platforms, which provide a new way for developing, downloading, and updating software applications in modern mobile devices, have recently emerged. To better understand the download patterns, popularity trends, and development strategies in this rapidly evolving mobile app ecosystem, we systematically monitored and analyzed four popular third-party Android app marketplaces. Our study focuses on measuring, analyzing, and modeling the app popularity distribution, and explores how pricing and revenue strategies affect app popularity and developers' income.Our results indicate that unlike web and peer-to-peer file sharing workloads, the app popularity distribution deviates from commonly observed Zipf-like models. We verify that these deviations can be mainly attributed to a new download pattern, to which we refer as the clustering effect. We validate the existence of this effect by revealing a strong temporal affinity of user downloads to app categories. Based on these observations, we propose a new formal clustering model for the distribution of app downloads, and demonstrate that it closely fits measured data. Moreover, we observe that paid apps follow a different popularity distribution than free apps, and show how free apps with an ad-based revenue strategy may result in higher financial benefits than paid apps. We believe that this study can be useful to appstore designers for improving content delivery and recommendation systems, as well as to app developers for selecting proper pricing policies to increase their income.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.