Android UI Deception Revisited: Attacks and Defenses

Attack Demos:

The first attack is the random strategy attack that does not use any side channel information. It randomly tries to synchronize with the WhatTheAppIsThat security check. Whenever the synchronization is wrong, the security indicator turns to a yellow unlocked visualization.

The attack begins by first starting the attacker app that monitors the top of stack activity. If the top of stack is com.facebook.katana, then it launches attack windows. Each attack window is 400ms long. If the display of an attack window coincides with the user performing input, a keystroke is stolen and written to a file.

The second attack is the side channel strategy where binder transaction statistics are used to infer when it is safe to display an attack window. Our attack proceeds similar to the above PoC and stolen input is written to a file. Notice that with the side channel, the indicator rarely turns yellow, greatly increasing the stealthiness of the attack.

The third attack demo uses the side channel and uses a window type that intercepts events and allows the events to passthrough to the underlying window.

Binder Statistics Side Channel Proof-of-Concept Attack code: