research-article

Lie to Me: Abusing the Mobile Content Sharing Service for Fun and Profit

Authors:

Haoyu WangAuthors Info & Claims

WWW '22: Proceedings of the ACM Web Conference 2022

Pages 3327 - 3335

https://doi.org/10.1145/3485447.3512151

Published: 25 April 2022 Publication History

Abstract

Online content sharing is a widely used feature in Android apps. In this paper, we observe a new Fake-Share attack that adversaries can abuse existing content sharing services to manipulate the displayed source of shared content to bypass the content review of targeted Online Social Apps (OSAs) and induce users to click on the shared fraudulent content. We show that seven popular content-sharing services (including WeChat, AliPay, and KakaoTalk) are vulnerable to such an attack. To detect this kind of attack and explore whether adversaries have leveraged it in the wild, we propose DeFash, a multi-granularity detection tool including static analysis and dynamic verification. The extensive in-the-lab and in-the-wild experiments demonstrate that DeFash is effective in detecting such attacks. We have identified 51 real-world apps involved in Fake-Share attacks. We have further harvested over 24K Sharing Identification Information (SIIs) that can be abused by attackers. It is hence urgent for our community to take actions to detect and mitigate this kind of attack.

References

[1]

2017. Content sharing: what content people share and why. https://www.i-scoop.eu/content-sharing-content-people-share/. (2017).

[2]

2020. ApkTool:A tool for reverse engineering Android apk files.https://ibotpeaches.github.io/Apktool/. (2020).

[3]

2020. Content sharing and storytelling: why and how people share content. https://www.i-scoop.eu/content-marketing/content-sharing-storytelling/. (2020).

[4]

2020. Getting started with Credential Scanner (CredScan). https://secdevtools.azurewebsites.net/helpcredscan.html. (2020).

[5]

2021. Alipay open platform documentation: third-party application. https://opendocs.alipay.com/isv. (2021).

[6]

2021. DingTalk Sharing Introduction. https://developers.dingtalk.com/document/mobile-app-guide. (2021).

[7]

2021. DroidBot:a lightweight test input generator for Android.https://github.com/honeynet/droidbot. (2021).

[8]

2021. Frida:Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.https://frida.re/. (2021).

[9]

2021. How to link to whatsapp from a different app. https://faq.whatsapp.com/iphone/how-to-link-to-whatsapp-from-a-different-app. (2021).

[10]

2021. Overview:Twitter Developer. https://developer.twitter.com/en/docs/twitter-for-websites/embedded-tweets/overview. (2021).

[11]

2021. Tencent Open Platform. https://wiki.open.qq.com/wiki/. (2021).

[12]

2021. This document introduces the Messaging API.https://developers.kakao.com/docs/latest/en/message/common. (2021).

[13]

2021. Using Soot? Let us know about it!https://github.com/soot-oss/soot. (2021).

[14]

2021. WeChat Android developer documentation: sharing and favorite functions. https://developers.weixin.qq.com/doc/oplatform/Mobile_App/Share_and_Favorites/Android.html. (2021).

[15]

2021. Weibo open platform: mobile application.https://open.weibo.com/development/mobile. (2021).

[16]

2021. Yixin Open Platform: Development Documents. http://open.yixin.im/document. (2021).

[17]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259–269.

Digital Library

[18]

Geumhwan Cho, Junsung Cho, Youngbae Song, and Hyoungshick Kim. 2015. An empirical study of click fraud in mobile advertising networks. In 2015 10th International Conference on Availability, Reliability and Security. IEEE, 382–388.

Digital Library

[19]

Jonathan Crussell, Ryan Stevens, and Hao Chen. 2014. Madfraud: Investigating ad fraud in android applications. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services. 123–134.

Digital Library

[20]

Martijn de Vos and Johan Pouwelse. 2021. ASTANA: Practical String Deobfuscation for Android Applications Using Program Slicing. arXiv preprint arXiv:2104.02612(2021).

[21]

Feng Dong, Haoyu Wang, Li Li, Yao Guo, Tegawendé F Bissyandé, Tianming Liu, Guoai Xu, and Jacques Klein. 2018. Frauddroid: Automated ad fraud detection for android apps. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 257–268.

Digital Library

[22]

Leonid Glanz, Patrick Müller, Lars Baumgärtner, Michael Reif, Sven Amann, Pauline Anthonysamy, and Mira Mezini. 2020. Hidden in plain sight: Obfuscated strings threatening your privacy. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 694–707.

Digital Library

[23]

Yangyu Hu, Haoyu Wang, Yajin Zhou, Yao Guo, Li Li, Bingxuan Luo, and Fangren Xu. 2018. Dating with scambots: Understanding the ecosystem of fraudulent dating applications. arXiv preprint arXiv:1807.04901(2018).

[24]

Roberto Jordaney, Kumar Sharad, Santanu K Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro. 2017. Transcend: Detecting concept drift in malware classification models. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 625–642.

[25]

Li Li, Tegawendé F Bissyandé, and Jacques Klein. 2019. Rebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark. IEEE Transactions on Software Engineering (TSE) (2019).

[26]

Li Li, Daoyuan Li, Tegawendé F Bissyandé, Jacques Klein, Haipeng Cai, David Lo, and Yves Le Traon. 2017. Automatically locating malicious packages in piggybacked android apps. In The 4th IEEE/ACM International Conference on Mobile Software Engineering and Systems (MobileSoft 2017).

Digital Library

[27]

Jialiu Lin, Shahriyar Amini, Jason I Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM conference on ubiquitous computing. 501–510.

Digital Library

[28]

Tianming Liu, Haoyu Wang, Li Li, Guangdong Bai, Yao Guo, and Guoai Xu. 2019. Dapanda: Detecting aggressive push notifications in android apps. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 66–78.

Digital Library

[29]

Wei Liu, Yueqian Zhang, Zhou Li, and Haixin Duan. 2016. What you see isn’t always what you get: A measurement study of usage fraud on android apps. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. 23–32.

Digital Library

[30]

Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. Libradar: Fast and accurate detection of third-party libraries in android apps. In Proceedings of the 38th international conference on software engineering companion. 653–656.

Digital Library

[31]

Michael Meli, Matthew R McNiece, and Bradley Reaves. 2019. How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories. In NDSS.

[32]

Omid Mirzaei, Guillermo Suarez-Tangil, Jose M de Fuentes, Juan Tapiador, and Gianluca Stringhini. 2019. Andrensemble: Leveraging api ensembles to characterize android malware families. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 307–314.

Digital Library

[33]

Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques. In NDSS.

[34]

Vibha Singhal Sinha, Diptikalyan Saha, Pankaj Dhoolia, Rohan Padhye, and Senthil Mani. 2015. Detecting and mitigating secret-key leaks in source code repositories. In 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories. IEEE, 396–400.

[35]

Haoyu Wang, Jason Hong, and Yao Guo. 2015. Using text mining to infer the purpose of permission use in mobile apps. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing. 1107–1118.

Digital Library

[36]

Haoyu Wang, Yuanchun Li, Yao Guo, Yuvraj Agarwal, and Jason I Hong. 2017. Understanding the purpose of permission use in mobile apps. ACM Transactions on Information Systems (TOIS) 35, 4 (2017), 1–40.

Digital Library

[37]

Haoyu Wang, Hongxuan Liu, Xusheng Xiao, Guozhu Meng, and Yao Guo. 2019. Characterizing Android app signing issues. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 280–292.

Digital Library

[38]

Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, and Guoai Xu. 2018. Beyond google play: A large-scale comparative study of chinese android app markets. In Proceedings of the Internet Measurement Conference 2018. 293–307.

Digital Library

[39]

Lorraine YC Wong and Jacquelyn Burkell. 2017. Motivations for sharing news on social media. In Proceedings of the 8th International conference on social media & society. 1–5.

Digital Library

[40]

Shengqu Xi, Shao Yang, Xusheng Xiao, Yuan Yao, Yayuan Xiong, Fengyuan Xu, Haoyu Wang, Peng Gao, Zhuotao Liu, Feng Xu, 2019. DeepIntent: Deep icon-behavior learning for detecting intention-behavior discrepancy in mobile apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2421–2436.

Digital Library

[41]

Ke Xu, Yingjiu Li, Robert Deng, Kai Chen, and Jiayun Xu. 2019. Droidevolver: Self-evolving android malware detection system. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 47–62.

[42]

Wenbo Yang, Yuanyuan Zhang, Juanru Li, Hui Liu, Qing Wang, Yueheng Zhang, and Dawu Gu. 2017. Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps. In NDSS.

[43]

Xinli Yang, David Lo, Li Li, Xin Xia, Tegawendé F Bissyandé, and Jacques Klein. 2017. Characterizing malicious Android apps by mining topic-specific data flow signatures. Information and Software Technology(2017).

[44]

Xiaohan Zhang, Yuan Zhang, Ming Zhong, Daizong Ding, Yinzhi Cao, Yukun Zhang, Mi Zhang, and Min Yang. 2020. Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 757–770.

Digital Library

[45]

Yanjie Zhao, Li Li, Haoyu Wang, Haipeng Cai, Tegawende Bissyande, Jacques Klein, and John Grundy. 2021. On the Impact of Sample Duplication in Machine Learning based Android Malware Detection. ACM Transactions on Software Engineering and Methodology (TOSEM) (2021).

[46]

Yajin Zhou and Xuxian Jiang. 2012. Dissecting android malware: Characterization and evolution. In 2012 IEEE symposium on security and privacy. IEEE, 95–109.

Digital Library

[47]

Yajin Zhou, Lei Wu, Zhi Wang, and Xuxian Jiang. 2015. Harvesting developer credentials in android apps. In Proceedings of the 8th ACM conference on security & privacy in wireless and mobile networks. 1–12.

Digital Library

Cited By

Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158
Zhao KZhan XYu LZhou SZhou HLuo XWang HLiu YGrundy JPollock LPenta M(2023)Demystifying Privacy Policy of Third-Party Libraries in Mobile AppsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00137(1583-1595)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00137

Index Terms

Lie to Me: Abusing the Mobile Content Sharing Service for Fun and Profit

Index terms have been assigned to the content through auto-classification.

Recommendations

Abusing File Processing in Malware Detectors for Fun and Profit
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

We systematically describe two classes of evasion exploits against automated malware detectors. Chameleon attacks confuse the detectors' file-type inference heuristics, while werewolf attacks exploit discrepancies in format-specific file parsing between ...
Efficient and Enhanced Solutions for Content Sharing in DRM Systems
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566

We present a solution to the problem of content sharing in digital rights management DRM systems. Users in DRM systems purchase content from content providers and then wish to distribute it between their own devices or to other users. The goal is to ...
POSTER: Reflected attacks abusing honeypots
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

We present the observation of distributed denial-of-service attacks that use reflection of the flooding traffic off reflectors. This type of attack was used in massive attacks against internet infrastructure of Czech Republic in March, 2013. Apart from ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '22: Proceedings of the ACM Web Conference 2022

April 2022

3764 pages

ISBN:9781450390965

DOI:10.1145/3485447

Editors:
Frédérique Laforest
INSA Lyon, France
,
Raphaël Troncy
EURECOM, France
,
Elena Simperl
King’s College London, UK
,
Deepak Agarwal
Pinterest, USA
,
Aristides Gionis
KTH Royal Institute of Technology, Sweden
,
Ivan Herman
W3C / retired
,
Lionel Médini
Université Lyon 1, France

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 April 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '22

Sponsor:

SIGWEB

WWW '22: The ACM Web Conference 2022

April 25 - 29, 2022

Virtual Event, Lyon, France

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
382
Total Downloads

Downloads (Last 12 months)63
Downloads (Last 6 weeks)3

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158
Zhao KZhan XYu LZhou SZhou HLuo XWang HLiu YGrundy JPollock LPenta M(2023)Demystifying Privacy Policy of Third-Party Libraries in Mobile AppsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00137(1583-1595)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00137

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents