Ecole d'ingénieur et centre de recherche en Sciences du numérique

Phishing attacks on modern Android

Merlo, Alessio; Aonzo, Simone; Tavella, Giulio; Fratantonio, Yanick

CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada

Modern versions of Android have introduced a number of features in the name of convenience. This paper shows how two of these features, mobile password managers and Instant Apps, can be abused to make phishing attacks that are significantly more practical than existing ones. We have studied the leading password managers for mobile and we uncovered a number of design issues that leave them open to attacks. For example, we show it is possible to trick password managers into auto-suggesting credentials associated with arbitrary attacker-chosen websites. We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user's clicks. We also found that mobile password managers are vulnerable to "hidden fields" attacks, which makes these attacks even more practical and problematic. We conclude this paper by proposing a new secure-by-design API that avoids common errors and we show that the secure implementation of autofill functionality will require a community-wide effort, which this work hopes to inspire. 

Document Doi Bibtex

Titre:Phishing attacks on modern Android
Mots Clés:Mobile Security, Phishing, Password Managers, Instant Apps
Type:Conférence
Langue:English
Ville:Toronto
Pays:CANADA
Date:
Département:Sécurité numérique
Eurecom ref:5637
Copyright: © ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada http://dx.doi.org/10.1145/3243734.3243778
Bibtex: @inproceedings{EURECOM+5637, doi = {http://dx.doi.org/10.1145/3243734.3243778}, year = {2018}, title = {{P}hishing attacks on modern {A}ndroid}, author = {{M}erlo, {A}lessio and {A}onzo, {S}imone and {T}avella, {G}iulio and {F}ratantonio, {Y}anick}, booktitle = {{CCS} 2018, {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity, 15-19 {O}ctober 2018, {T}oronto, {C}anada}, address = {{T}oronto, {CANADA}}, month = {10}, url = {http://www.eurecom.fr/publication/5637} }
Voir aussi: