Repeating Toast Drawing Based Password Inference Attack Technique

被引：0

作者：

Ling Z. ^{[1
]}

Yang Y. ^{[1
]}

Liu R.-Z. ^{[1
]}

Zhang Y. ^{[2
]}

Jia K. ^{[1
]}

Yang M. ^{[1
]}

机构：

[1] School of Computer Science and Engineering, Southeast University, Nanjing

[2] College of Cyber Security, Jinan University, Guangzhou

来源：

Ruan Jian Xue Bao/Journal of Software | 2022年 / 33卷 / 06期

关键词：

!text type='Java']Java[!/text] reflection; Password attack; Repeating Toast drawing;

D O I：

10.13328/j.cnki.jos.006568

中图分类号：

学科分类号：

摘要：

The mobile platform is rapidly emerging as one of the dominant computing paradigms of the last decades. However, there are also security issues that can work against mobile platforms. Being the first line of defense of various cyber attacks against mobiles, password protection serves an import role in protecting users' sensitive data. The offensive and defensive techniques related to passwords, therefore, gained a lot of attention. This work systematically studied the design flaws existing in the Android Toast mechanism and discovered a new type of vulnerability leveraging on Toast fade-in and fade-out animation, where malware can create a strategy of continuously displaying keyboard-like Toast views to capture the user's inputs stealthily, thereby stealing the user's password. The attackhas implemented, and extensive user experiments are performed to demonstrate its effectiveness, accuracy, and stealthiness. The results show that when the password length is 8, the attack success rate can reach up to 89%. It has also confirmed that the latest Android system has patched this vulnerability. © Copyright 2022, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

引用

页码：2047 / 2060

页数：13

共 24 条

[1] Representing the worldwide mobile communications industry, (2021)
[2] Solid growth ahead for security products and services, (2019)
[3] Maggi F, Volpatto A, Gasparini S, Boracchi G, Zanero S., A fast eavesdropping attack against touchscreens, Proc. of the 7th Int'l Conf. on Information Assurance and Security (IAS), pp. 320-325, (2011)
[4] Yue Q, Ling Z, Fu X, Liu B, Ren K, Zhao W., Blind recognition of touched keys on mobile devices, Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security, pp. 1403-1414, (2014)
[5] Xu Y, Heinly J, White AM, Monrose F, Frahm JM., Seeing double: Reconstructing obscured typed input from repeated compromising reflections, Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security, pp. 1063-1074, (2013)
[6] Zhou M, Wang Q, Yang J, Li Q, Xiao F, Wang Z, Chen X., Patternlistener: Cracking Android pattern lock using acoustic signals, Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security, pp. 1775-1787, (2018)
[7] Aviv AJ, Gibson KL, Mossop E, Blaze M, Smith JM., Smudge attacks on smartphone touch screens, Woot, 10, pp. 1-7, (2010)
[8] Jung J H, Kim JY, Lee HC, Yi JH., Repackaging attack on Android banking applications and its countermeasures, Wireless Personal Communications, 73, 4, pp. 1421-1437, (2013)
[9] Aonzo S, Merlo A, Tavella G, Fratantonio Y., Phishing attacks on modern Android, Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security, pp. 1788-1801, (2018)
[10] Shi L, Fu J, Guo Z, Ming J., Jekyll and Hyde" is risky: Shared-everything threat mitigation in dual-instance apps, Proc. of the 17th Annual Int'l Conf. on Mobile Systems, Applications, and Services, pp. 222-235, (2019)

← 1 2 3 →