research-article

VirtualSwindle: an automated attack against in-app billing on android

Authors:

Collin Mulliner,

William Robertson,

Engin KirdaAuthors Info & Claims

ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications security

Pages 459 - 470

https://doi.org/10.1145/2590296.2590335

Published: 04 June 2014 Publication History

Abstract

Since its introduction, Android's in-app billing service has quickly gained popularity. The in-app billing service allows users to pay for options, services, subscriptions, and virtual goods from within mobile apps themselves. In-app billing is attractive for developers because it is easy to integrate, and has the advantage that the developer does not need to be concerned with managing financial transactions. In this paper, we present the first fully-automated attack against the in-app billing service on Android. Using our prototype, we conducted a robustness study against our attack, analyzing 85 of the most popular Android apps that make use of in-app billing. We found that 60% of these apps were easily and automatically crackable. We were able to bypass highly popular and prominent games such as Angry Birds and Temple Run, each of which have millions of users. Based on our study, we developed a defensive technique that specifically counters automated attacks against in-app billing. Our technique is lightweight and can be easily added to existing applications.

References

[1]

Apktool Developers. android-apktool - A tool for reverse engineering Android apk files. http://code.google.com/p/android-apktool/, November 2012.

[2]

Bethea, D., Cochran, R. A., and Reiter, M. K. Server-side verification of client behavior in online games. In 17th ISOC Network and Distributed System Security Symposium (NDSS) (2010).

[3]

Bursztein, E., Hamburg, M., Lagarenne, J., and Boneh, D. OpenConflict: Preventing Real Time Map Hacks in Online Games. In IEEE Symposium on Security and Privacy (May 2011).

Digital Library

[4]

Chainfire. SuperSU. https://play.google.com/store/apps/details?id=eu.chainfire.supersu&hl=en, November 2012.

[5]

Clowes, S. injectso - Modifying and Spying on running processes under Linux and Solaris. http://www.blackhat.com/presentations/bh-europe-01/shaun-clowes/bh-europe-01-clowes.ppt, 2001.

[6]

CLShortFuse. SuperOneClick. http://forum.xda-developers.com/showthread.php?t=803682, November 2012.

[7]

CyanogenMod Developers. CyanogenMod. http://www.cyanogenmod.org/, November 2012.

[8]

Davis, B., Sanders, B., Khodaverdian, A., and Chen, H. I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications. In Workshop on Mobile Security Technologies (MoST) (May 2012).

[9]

Egele, M., Kruegel, C., Kirda, E., and Vigna, G. PiOS: Detecting Privacy Leaks in iOS Applications. In Network and Distirbuted Systems Security Symposium (NDSS) (2 2011).

[10]

Enck, W., Gilbert, P., Chun, B., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Symposium on Operating Systems Design and Implementation (OSDI) (2010).

Digital Library

[11]

Freeman, J. Cydia Substrate for Android. http://www.cydiasubstrate.com/.

[12]

Google. In-app Billing. http://developer.android.com/guide/google/play/billing/, November 2012.

[13]

Google. In-app Billing Security and Design. http://developer.android.com/guide/google/play/billing/billing_best_practices.html, November 2012.

[14]

HTC. Unlock Bootloader. http://htcdev.com/bootloader/, November 2012.

[15]

Mitterhofer, S., Platzer, C., Kirda, E., and Kruegel, C. Server-side Bot Detection in Massively Multiplayer Online Games. IEEE Security and Privacy Magazine (5 2009).

Digital Library

[16]

Oracle. The Reflection API. http://docs.oracle.com/javase/tutorial/reflect/index.html, November 2012.

[17]

Petroni Jr, N., Fraser, T., Walters, A., and Arbaugh, W. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security Symposium (2006).

Digital Library

[18]

Reynaud, D., Song, D., Tom Magrino, E. W., and Shin, R. POSTER: FreeMarket: Shopping for free in Android applications. In ISOC Network and Distributed System Security Symposium (NDSS) (February 2012).

[19]

Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., and Khosla, P. Verifying code integrity and enforcing untampered code execution on legacy systems. In ACM Symposium on Operating System Principles (SOSP) (2005).

Digital Library

[20]

Spalka, A., Cremers, A., and Langweg, H. Trojan Horse Attacks on Software for Electronic Signatures. In Informatica (2002).

[21]

T. Stracener and E. A. Smith and S. Barnum. So Many Ways to Slap a Yo-Ho: Hacking Facebook and YoVille. http://www.defcon.org/images/defcon-18/dc-18-presentations/Stracener-Smith-Barnum/DEFCON-18-Stracener-Smith-Barnum-So-Many-Ways.pdf, August 2010.

[22]

Vollmer, R. Xposed. http://repo.xposed.info/.

[23]

Watson, R. N. M. TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In USENIX Annual Technical Conference, FREENIX Track (2001), pp. 15--28.

Digital Library

[24]

Xu, R., Saidi, H., and Anderson, R. Aurasium: Practical Policy Enforcement for Android Applications. In USENIX Security Symposium (August 2012).

Digital Library

[25]

Yan, L. K., and Yin, H. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security Symposium (August 2012).

Digital Library

[26]

ZonD80. Getting started to receive your in-app for free on iOS. http://system.in-appstore.com/, Ocrober 2012.

Cited By

Shi SWang XZeng KYang RLau W(2021)An Empirical Study on Mobile Payment Credential Leaks and Their ExploitsSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_5(79-98)Online publication date: 4-Nov-2021
https://doi.org/10.1007/978-3-030-90022-9_5
Shi SWang XLau W(2021)Breaking and Fixing Third-Party Payment Service for Mobile AppsApplied Cryptography and Network Security10.1007/978-3-030-78375-4_1(3-26)Online publication date: 10-Jun-2021
https://doi.org/10.1007/978-3-030-78375-4_1
Khanmohammadi KEbrahimi NHamou-Lhadj AKhoury R(2019)Empirical study of android repackaged applicationsEmpirical Software Engineering10.1007/s10664-019-09760-3Online publication date: 21-Aug-2019
https://doi.org/10.1007/s10664-019-09760-3
Show More Cited By

Index Terms

VirtualSwindle: an automated attack against in-app billing on android
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

AppInk: watermarking android apps for repackaging deterrence
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

With increased popularity and wide adoption of smartphones and mobile devices, recent years have seen a new burgeoning economy model centered around mobile apps. However, app repackaging, among many other threats, brings tremendous risk to the ecosystem,...
Fast, scalable detection of "Piggybacked" mobile applications
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create ...
Android Applications Repackaging Detection Techniques for Smartphone Devices

The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications security

June 2014

556 pages

ISBN:9781450328005

DOI:10.1145/2590296

General Chair:
Shiho Moriai
NICT, Japan
,
Program Chairs:
Trent Jaeger
Penn State University, USA
,
Kouichi Sakurai
Kyushu University, Japan

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research

Conference

ASIA CCS '14

Sponsor:

SIGSAC

ASIA CCS '14: 9th ACM Symposium on Information, Computer and Communications Security

June 4 - 6, 2014

Kyoto, Japan

Acceptance Rates

ASIA CCS '14 Paper Acceptance Rate 50 of 255 submissions, 20%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
446
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shi SWang XZeng KYang RLau W(2021)An Empirical Study on Mobile Payment Credential Leaks and Their ExploitsSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_5(79-98)Online publication date: 4-Nov-2021
https://doi.org/10.1007/978-3-030-90022-9_5
Shi SWang XLau W(2021)Breaking and Fixing Third-Party Payment Service for Mobile AppsApplied Cryptography and Network Security10.1007/978-3-030-78375-4_1(3-26)Online publication date: 10-Jun-2021
https://doi.org/10.1007/978-3-030-78375-4_1
Khanmohammadi KEbrahimi NHamou-Lhadj AKhoury R(2019)Empirical study of android repackaged applicationsEmpirical Software Engineering10.1007/s10664-019-09760-3Online publication date: 21-Aug-2019
https://doi.org/10.1007/s10664-019-09760-3
Zurriaga ÓMartínez JCorrochano VCavero-Carbonell C(2018)Registros y biobancos de enfermedades raras. Una oportunidad para avanzarArbor10.3989/arbor.2018.789n3011194:789(469)Online publication date: 30-Nov-2018
https://doi.org/10.3989/arbor.2018.789n3011
Nguyen-Vu LChau NKang SJung S(2017)Android RootingSecurity and Communication Networks10.1155/2017/41217652017Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1155/2017/4121765
Bianchi AGustafson EFratantonio YKruegel CVigna G(2017)Exploitation and Mitigation of Authentication Schemes Based on Device-Public InformationProceedings of the 33rd Annual Computer Security Applications Conference10.1145/3134600.3134615(16-27)Online publication date: 4-Dec-2017
https://dl.acm.org/doi/10.1145/3134600.3134615
Kim THa HChoi SJung JChun BKarri RSinanoglu OSadeghi AYi X(2017)Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial AppsProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3053018(179-192)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3053018
Yuan XSetayeshfar OYan HPanage PWei XLee KKarri RSinanoglu OSadeghi AYi X(2017)DroidForensicsProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052984(666-677)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052984
Tam KFeizollah AAnuar NSalleh RCavallaro L(2017)The Evolution of Android Malware and Android Analysis TechniquesACM Computing Surveys10.1145/301742749:4(1-41)Online publication date: 13-Jan-2017
https://dl.acm.org/doi/10.1145/3017427
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://doi.org/10.1109/TSE.2016.2615307
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents