Demos

For anonymity, some screens are obscured and the attack websites are in local area network. But the attack websites can be located in a wide area network as well.

Note that although all the attacks are launched from Chrome in the demos, the attacks can also be launched by an infected WebView in the background without user interaction.

Remote Privilege Escalation

1. Attack Amazon Appstore through Amazon Shopping (unauthorized app install)

In this demo, we demonstrate that a malicious web page in Chrome can attack Amazon apps to install malwares without user consent.

The malicious content will infect the Amazon Shopping's WebView first and then propagate to Amazon Appstore's WebView. Then Google Chrome is launched to hide the Amazon apps. Later Amazon Appstore will install a malware in the background.

2. Attack Facebook Messenger (stealthy messaging)

In this demo, we demonstrate that a malicious web page in Chrome can command Facebook Messenger to send a message without user consent.

3. Attack Baidu mobile assistant (over 100 million users) & Running the infected WebView in the background (monitor the loudness of voice and the gyroscope data and install malwares without user confirmation)

In this demo, we demonstrate that the WebView of Baidu mobile assistant can be infected from Chrome and run in the background. The malicious content in Baidu's WebView can then upload the loudness of voice and the gyroscope data in the background. It can also download and install a malware without user confirmation and open it.

Remote Deep Phishing

4. Display Phishing UI in Twitter (steal Twitter account credentials)

In this demo, we demonstrate that after the user clicks a link, the state of Twitter will be changed silently. When the user opens Twitter, a Phishing UI will be displayed. After the user inputs the login credentials, the main Activity of Twitter will be showed.

5. Let Facebook actively invite Twitter to display Phishing UI (steal Facebook account credentials)

In this demo, when the victim clicks a malicious link, Facebook's WebView will be controlled. Every time the victim opens Facebook, Facebook will launch Twitter to show a Phishing page. After she inputs the login credentials, the Facebook's main Activity will be displayed.

6. Use PicsArt to hijack Facebook's task and display Phishing UI (steal Facebook account credentials)

In this demo, when the victim clicks a malicious link, Facebook's task will be hijacked by PicsArt's WebView. Every time the victim opens Facebook, she will see a Phishing page in PicsArt. After she inputs the login credentials, the Facebook's main Activity will be displayed.