期刊论文详细信息
IEEE Access
Android Data-Clone Attack via Operating System Customization
Ming Jiang1  Yi Xiang2  Wenna Song2  Kun He2  Guojun Peng2  Yuan Luo2  Yuan Chen2  Han Yan2 
[1] Computer Science and Engineering Department, The University of Texas at Arlington, Arlington, TX, USA;Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China;
关键词: Automatic login;    data-clone attack;    identity theft;    OS customization;   
DOI  :  10.1109/ACCESS.2020.3035089
来源: DOAJ
【 摘 要 】

To avoid the inconvenience of retyping a user's ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim's account, which causes more devastating and covert losses than merely intercepting the user's password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps' accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.

【 授权许可】

Unknown   

  文献评价指标  
  下载次数:0次 浏览次数:11次