Inishing: A UI Phishing Attack to Exploit the Vulnerability of Inotify in Android Smartphones

Ahn, Woo Hyun; Park, Hyesung; Oh, Jae‐Won; Lim, Seung-Ho

doi:10.1587/transinf.2015edl8188

Cited by 3 publications

(3 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then, it prunes the list of recorded file system events of any entry not in the FSSignature K . This allows to filter out those events that the appSignVerifier accidentally recorded while monitoring any file creation event in a directory 3 .…”

Section: Function #3 -Signatureverifiermentioning

confidence: 99%

“…Fourth, in our analysis, we dwelt on monitoring a single file, and given its effectiveness, we explored no further; Ahn et al [3], instead, focused on a sequence of events. Although there is a margin for improvement, our work is mainly concerned with showing the existence of this new attack and how to stop it.…”

Section: Limitations and Conclusionmentioning

confidence: 99%

“…In 2016, Ahn et al [3] showed that particular file system events' occurrences allow detecting a specific UI screen transition. Once again, inotify made it possible to monitor specific file system patterns, this time for perfectly timing a phishing attack by starting an activity that resembles the original one.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Android, Notify Me When It Is Time To Go Phishing

Ruggia,

Possemato,

Merlo

et al. 2023

2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

A mobile banking app just started up, and the notification "App updated, click here to restart" appears. The graphic theme is the same as the bank. Can we trust it? What if we cannot even trust that tapping an app actually loads the original one? More generally, what if Android notifies an attacker when her victim has just launched the target app of her phishing campaign so that she could cast the hook at the perfect moment?In this paper, we abuse inotify APIs, a mechanism for monitoring file system events, to mount a state inferencebased phishing attack from a malicious app installed on the victim's smartphone. We also verified the novelty of our work analyzing 10,000 recent Android malware, and although we found some cases where malware uses inotify for their petty purposes, our attack seems to be publicly unknown.However, since Android constantly evolves year after year, we studied its feasibility over different Android versions and attacker's capabilities. By analyzing 4,863 of the most popular apps, the most disconcerting finding is that if the attacker knows the installation path of the target app, all Android apps are vulnerable, regardless of the system version. Getting the installation path of an app is a capability that is only protected by a normal permission, and to make matters worse, there are workarounds to get it even without such permission.Even if this capability is denied, we propose different attack models under which this attack is still possible; however, at the end of our work, we provide the remediation to eradicate once and for all these attacks. Through this work, we reported three vulnerabilities to Google. Two were acknowledged as bugs of moderate severity, while the last one was already known but not public.

show abstract

Section: Function #3 -Signatureverifiermentioning

confidence: 99%

Section: Limitations and Conclusionmentioning

confidence: 99%