SECURITY SYSTEM Seminar: "Do Androids Dream of Electric Phishing?"

Prof. Simone Aonzo (EURECOM) - Assistant Professor at EURECOM
Digital Security

Date: -
Location: Eurecom

Bio: Simone Aonzo is an Assistant Professor at EURECOM (France), where he teaches and conducts research in the Digital Security Department. He has extensive experience and knowledge in malware analysis (covering both Windows and Android platforms), reverse engineering, phishing, and mobile security. He is also interested in the human factors of security processes and has recently started publishing papers on this topic. He is passionate about finding and solving real-world security challenges and educating the next generation of security professionals. Title: « Do Androids Dream of Electric Phishing? » Abstract: In this seminar, I will present two novel and practical phishing attacks on Android that exploit some convenience features. In the first attack, I will abuse features unique to Android, namely the Autofill Framework and Instant Apps, to show how an attacker can trick password managers into autofilling credentials for malicious websites. In the second attack, I demonstrate a state inference-based phishing attack that uses the inotify APIs, in this case a feature of the Linux kernel on which Android is based, to monitor file system events and detect when the victim launches a target application. Several vulnerabilities and their fixes were reported to both Google and major password manager developers, but even now these issues have not been fully resolved, proving once again that while secure solutions exist in theory, they are difficult to implement in practice.