Cited By
View all- Renjith GAji S(2021)Vulnerability Analysis and Detection Using Graph Neural Networks for Android Operating SystemInformation Systems Security10.1007/978-3-030-92571-0_4(57-72)Online publication date: 16-Dec-2021
RIP StrandHogg: a practical StrandHogg attack detection method on Android
Pages 216 - 226
Abstract
StrandHogg vulnerabilities affect Android's multitasking system and threaten up to 90% of Android platforms, which translates to millions of affected users. Existing countermeasures require modification of the OS, have usability drawbacks, or are limited to the detection of certain attack versions. In this work, we aim to develop a generic, efficient, and usability-friendly attack detection method, which does not require OS modifications and can be employed by apps installed on any vulnerable Android platform. To achieve our goal, we analyze StrandHogg attack techniques and develop two countermeasures, one using Machine Learning and the other one using ActivityCounter - a reliable attack indicator, which we could synthetically engineer. Our first approach achieves an average F1 score of 92% across all attack variations, while ActivityCounter shows superior performance and efficiently detects all attack versions without false positives. ActivityCounter is the first solution without practical limitations, which can be easily deployed in practice and protect millions of affected users.
References
[1]
A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, and G. Vigna. 2015. What the App is That? Deception and Countermeasures in the Android User Interface. In 2015 IEEE Symposium on Security and Privacy. 931--948.
[2]
Qi Alfred Chen, Zhiyun Qian, and Z. Morley Mao. 2014. Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 1037--1052. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/chen
[3]
Petr Dvorak. 2020. StrandHogg 2.0: Explained. https://www.youtube.com/watch?v=avElCFVuXvo - 17:00.
[4]
A. P. Felt and D. Wagner. 2011. Phishing on Mobile Devices. In IEEE Workshop on Web 2.0 Security and Privacy.
[5]
Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J. Alex Halderman, Z. Morley Mao, and Atul Prakash. 2016. Android UI Deception Revisited: Attacks and Defenses. In Financial Cryptography and Data Security.
[6]
Google. 2019. Android Documentation - Understand Tasks and Back Stack. Retrieved Feb 11, 2021 from https://developer.android.com/guide/components/activities/tasks-and-back-stack
[7]
Google. 2020. Android Documentation - <activity>. Retrieved Feb 11, 2021 from https://developer.android.com/guide/topics/manifest/activity-element
[8]
Google. 2020. Android Documentation - Activity. Retrieved Feb 17, 2021 from https://developer.android.com/reference/android/app/Activity#moveTaskToBack(boolean)
[9]
Google. 2020. Android Documentation - App Manifest Overview. Retrieved Feb 11, 2021 from https://developer.android.com/guide/topics/manifest/manifest-intro
[10]
Google. 2020. Android Documentation - getRunningTasks. Retrieved Feb 15, 2021 from https://developer.android.com/reference/android/app/ActivityManager#getRunningTasks(int)
[11]
Google. 2020. Android Documentation - Intent (FLAG_ACTIVITY_CLEAR_TASK). Retrieved Mar 8, 2021 from https://developer.android.com/reference/android/content/Intent.html#FLAG_ACTIVITY_CLEAR_TASK
[12]
Google. 2020. Android Documentation - Intent (FLAG_ACTIVITY_-EXCLUDE_FROM_RECENTS). Retrieved Feb 17, 2021 from https://developer.android.com/reference/android/content/Intent#FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS
[13]
Google. 2020. Android Documentation - Intent (FLAG_ACTIVITY_NEW_TASK). Retrieved Feb 11, 2021 from https://developer.android.com/reference/android/content/Intent#FLAG_ACTIVITY_NEW_TASK
[14]
Google. 2020. Android Documentation - Manifest.permission. Retrieved Mar 8, 2021 from https://developer.android.com/reference/android/Manifest.permission#GET_TASKS
[15]
Google. 2020. Android Documentation - TaskInfo. Retrieved Feb 15, 2021 from https://developer.android.com/reference/android/app/TaskInfo#numActivities
[16]
Google. 2020. Android Runtime (ART) and Dalvik. Retrieved Feb 11, 2021 from https://source.android.com/devices/tech/dalvik
[17]
Google. 2020. Android Security Bulletin - Mai 2020. Retrieved Feb 13, 2021 from https://source.android.com/security/bulletin/2020-05-01
[18]
Google. 2020. GoogleGit - ActivityStarter.java. Retrieved May 17, 2021 from https://android.googlesource.com/platform/frameworks/base/+/a952197bd161ac0e03abc6acb5f48e4ec2a56e9d
[19]
Google. 2020. Restrictions on starting activities from the background. Retrieved Mar 8, 2021 from https://developer.android.com/guide/components/activities/background-starts
[20]
Sungjae Hwang, Sungho Lee, and Sukyoung Ryu. 2020. All about activity injection: Threats, semantics, detection, and defense. Software: Practice and Experience 50 (01 2020).
[21]
C. C. Lin, H. Li, X. Zhou, and et al. 2014. ScreenMilker: How to Milk Your Android Screen for Secrets. In Network and Distributed System Security Symposium.
[22]
B. Liu, S. Nath, R. Govindan, and J. Liu. 2014. DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps. In USENIX Symposium on Networked Systems Design and Implementation (NSDI).
[23]
D. Liu, E. Cuervo, V. Pistol, R. Scudellari, and L.P. Cox. 2013. ScreenPass: Secure Password Entry on Touchscreen Devices. In Annual International Conference on Mobile Systems, Applications, and Services (MobiSys).
[24]
S. O'Dea. [n.d.]. Mobile Android operating system market share by version worldwide from January 2018 to January 2021. Retrieved March 13, 2021 from https://www.statista.com/statistics/921152/mobile-android-version-share-worldwide/
[25]
Promon. 2019. The StrandHogg vulnerability. Retrieved Feb 11, 2021 from https://promon.co/security-news/strandhogg/
[26]
Promon. 2020. StrandHogg 2.0 - The 'evil twin'. Retrieved Feb 13, 2021 from https://promon.co/strandhogg-2-0/
[27]
C. Ren, Peng Liu, and S. Zhu. 2017. WindowGuard: Systematic Protection of GUI Security in Android. In NDSS.
[28]
Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, and Peng Liu. 2015. Towards Discovering and Understanding Task Hijacking in Android. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 945--959. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/ren-chuangang
[29]
Z. Wang, C. Li, and et al. Y. Guan. 2016. ActivityHijacker: Hijacking the Android Activity Component for Sensitive Data. In International Conference on Computer Communication & Networks.
[30]
Wes McKinney. 2010. Data Structures for Statistical Computing in Python. In Proceedings of the 9th Python in Science Conference, Stéfan van der Walt and Jarrod Millman (Eds.). 56 -- 61.
[31]
Wu Zhou Xuxian Jiang Yajin Zhou, Zhi Wang. 2012. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. North Carolina State University (2012). https://www.researchgate.net/publication/267787299_Hey_You_Get_Off_of_My_Market_Detecting_Malicious_Apps_in_Official_and_Alternative_Android_Markets
[32]
F. Yan, Y. Li, and L. Zhang. 2018. ActivityShielder: An Activity Hijacking Defense Scheme for Android Devices. In 2018 27th International Conference on Computer Communication and Networks (ICCCN). 1--9.
[33]
Wander Z. 2020. StrandHogg 2.0 Exploit Explained - Why Users and Android App Developers should care. Retrieved Feb 27, 2021 from https://www.xda-developers.com/strandhogg-2-0-android-vulnerability-explained-developer-mitigation/
Index Terms
- RIP StrandHogg: a practical StrandHogg attack detection method on Android
Recommendations
All your app links are belong to us: understanding the threats of instant apps based attacks
ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringAndroid deep link is a URL that takes users to a specific page of a mobile app, enabling seamless user experience from a webpage to an app. Android app link, a new type of deep link introduced in Android 6.0, is claimed to offer more benefits, such as ...
RIP-RH: Preventing Rowhammer-based Inter-Process Attacks
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications SecurityRun-time attacks pose a continuous threat to the security of computer systems. These attacks aim at hijacking the operation of a computer program by subverting its execution at run time. While conventional run-time attacks usually require memory-...
Taming transitive permission attack via bytecode rewriting on Android application
Google Android is popular for mobile devices in recent years. The openness and popularity of Android make it a primary target for malware. Even though Android's security mechanisms could defend most malware, its permission model is vulnerable to ...
Comments
Information & Contributors
Information
Published In
June 2021
412 pages
ISBN:9781450383493
DOI:10.1145/3448300
- General Chairs:
- Christina Pöpper,
- Mathy Vanhoef,
- Program Chairs:
- Lejla Batina,
- René Mayrhofer
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 28 June 2021
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
WiSec '21
Sponsor:
WiSec '21: 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks
June 28 - July 2, 2021
Abu Dhabi, United Arab Emirates
Acceptance Rates
WiSec '21 Paper Acceptance Rate 34 of 121 submissions, 28%;
Overall Acceptance Rate 98 of 338 submissions, 29%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 112Total Downloads
- Downloads (Last 12 months)27
- Downloads (Last 6 weeks)1
Reflects downloads up to 16 Oct 2024
Other Metrics
Citations
Cited By
View all- Renjith GAji S(2021)Vulnerability Analysis and Detection Using Graph Neural Networks for Android Operating SystemInformation Systems Security10.1007/978-3-030-92571-0_4(57-72)Online publication date: 16-Dec-2021
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in