Android, notify me when it is time to go phishing

A mobile banking app just started up, and the notification “App updated, click here to restart” appears. The graphic theme is the same as the bank. Can we trust it? What if we cannot even trust that tapping an app actually loads the original one? More generally, what if Android notifies an attacker when her victim has just launched the target app of her phishing campaign so that she could cast the hook at the perfect moment? In this paper, we abuse inotify APIs, a mechanism for monitoring file system events, to mount a state inferencebased phishing attack from a malicious app installed on the victim’s smartphone. We also verified the novelty of our work analyzing 10,000 recent Android malware, and although we found some cases where malware uses inotify for their petty purposes, our attack seems to be publicly unknown. However, since Android constantly evolves year after year, we studied its feasibility over different Android versions and attacker’s capabilities. By analyzing 4,863 of the most popular apps, the most disconcerting finding is that if the attacker knows the installation path of the target app, all Android apps are vulnerable, regardless of the system version. Getting the installation path of an app is a capability that is only protected by a normal permission, and to make matters worse, there are workarounds to get it even without such permission. Even if this capability is denied, we propose different attack models under which this attack is still possible; however, at the end of our work, we provide the remediation to eradicate once and for all these attacks. Through this work, we reported three vulnerabilities to Google. Two were acknowledged as bugs of moderate severity, while the last one was already known but not public.