Cloak & Dagger: From Two Permissions to Complete Control of the UI Feedback Loop

Black Hat USA 2017

Presented by: Simon Pak Ho Chung, Yanick Fratantonio, Wenke Lee, Chenxiong Qian
Date: Thursday July 27, 2017
Time: 17:00 - 18:00
Location: Lagoon DEFJKL

While both the SYSTEM_ALERT_WINDOW and the BIND_ACCESSIBILITY_SERVICE Android permissions have been abused individually (e.g., in UI redressing attacks, accessibility attacks), previous attacks based on these permissions failed to completely control the UI feedback loop and thus either rely on vanishing side-channels to time the appearance of overlay UI, cannot respond properly to user input, or make the attacks literally visible. In this work, we demonstrate how combining the capabilities of these permissions leads to complete control of the UI feedback loop and creates devastating and stealthy attacks. In particular, we demonstrate how an app with these two permissions can launch a variety of stealthy, powerful attacks, ranging from stealing user's login credentials and security PIN, to the silent installation of a God-like app with all permissions enabled. To make things even worse, we note that when installing an app targeting a recent Android SDK, the list of its required permissions is not shown to the user and that these attacks can be carried out without needing to lure the user to knowingly enable any permission, thus leaving him completely unsuspecting. In fact, we found that the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and, even though the BIND_ACCESSIBILITY_SERVICE is not automatically granted, our experiment shows that it is very easy to lure users to unknowingly grant that permission by abusing capabilities from the SYSTEM_ALERT_WINDOW permission. We also found that it is straightforward to get a proof-of-concept app requiring both permissions accepted on the official store. We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We conclude with a number of observations and best-practices that Google and developers can adopt to secure the Android GUI.

Yanick Fratantonio

Yanick Fratantonio is a PhD candidate in Computer Science at the University of California, Santa Barbara, and he is soon going to join EURECOM as an Assistant Professor. His research focuses on mobile systems security and privacy. In particular, his work aims at keeping users of mobile devices safe, and it spans different areas of mobile security, such as malware detection, vulnerability analysis, characterization of emerging threats, and the development of novel practical protection mechanisms. In his free time, he enjoys playing and organizing Capture The Flag competitions with the Shellphish hacking team. He is @reyammer on twitter.

Chenxiong Qian

Chenxiong Qian is a third-year Ph.D. student in the School of Computer Science at Georgia Tech, advised by Prof. Wenke Lee and Prof. Bill Harris. Chenxiong studies system security and privacy. He is particularly interested in using program analysis to solve system security and privacy problems.

Simon Pak Ho Chung

Simon Pak Ho Chung is a research scientist at the Institute for Information Security & Privacy (IISP) at the Georgia Institute of Technology. His research interests include security of mobile platforms, malware analysis and basic system security research, and he is interested in both attacks and defense. He's part of the research teams that created the Jekyll and the Mactans attacks on iOS devices.

Wenke Lee

Wenke Lee is a Professor of Computer Science and John P. Imlay Jr. Chair, and the Co-Director of the Institute for Information Security & Privacy (IISP) at Georgia Tech. He received his Ph.D. in Computer Science from Columbia University in 1999. His research interests include systems and network security, applied cryptography, and machine learning.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats