Do Androids dream of electric phishing?

Aonzo, Simone
EURECOM Security System Seminar, 23 January 2024, Sophia Antipolis, France

In this seminar, I will present two novel and practical phishing attacks on Android that exploit some convenience features.

In the first attack, I will abuse features unique to Android, namely the Autofill Framework and Instant Apps, to show how an attacker can trick password managers into autofilling credentials for malicious websites.

In the second attack, I demonstrate a state inference-based phishing attack that uses the inotify APIs, in this case a feature of the Linux kernel on which Android is based, to monitor file system events and detect when the victim launches a target application.

Several vulnerabilities and their fixes were reported to both Google and major password manager developers, but even now these issues have not been fully resolved, proving once again that while secure solutions exist in theory, they are difficult to implement in practice.


Type:
Talk
City:
Sophia Antipolis
Date:
2024-01-23
Department:
Sécurité numérique
Eurecom Ref:
7574
Copyright:
© EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in EURECOM Security System Seminar, 23 January 2024, Sophia Antipolis, France and is available at :
See also:

PERMALINK : https://www.eurecom.fr/publication/7574