Ιδρυματικό Αποθετήριο
Πολυτεχνείο Κρήτης
EN  |  EL

Αναζήτηση

Πλοήγηση

Ο Χώρος μου

This sneaky piggy went to the Android ad market: misusing mobile sensors for stealthy data exfiltration

Diamantaris Michalis, Moustakas Serafeim, Sun Lichao, Ioannidis Sotirios, Polakis Jason

Απλή Εγγραφή


URIhttp://purl.tuc.gr/dl/dias/0082810F-A41F-4DD8-A26D-BD3E213E4E3A-
Αναγνωριστικόhttps://doi.org/10.1145/3460120.3485366-
Αναγνωριστικόhttps://dl.acm.org/doi/10.1145/3460120.3485366-
Γλώσσαen-
Μέγεθος17 pagesen
ΤίτλοςThis sneaky piggy went to the Android ad market: misusing mobile sensors for stealthy data exfiltrationen
ΔημιουργόςDiamantaris Michalisen
ΔημιουργόςMoustakas Serafeimen
ΔημιουργόςSun Lichaoen
ΔημιουργόςIoannidis Sotiriosen
ΔημιουργόςΙωαννιδης Σωτηριοςel
ΔημιουργόςPolakis Jasonen
ΕκδότηςAssociation for Computing Machinery (ACM)en
ΠερίληψηMobile sensors have transformed how users interact with modern smartphones and enhance their overall experience. However, the absence of sufficient access control for protecting these sensors enables a plethora of threats. As prior work has shown, malicious apps and sites can deploy a wide range of attacks that use data captured from sensors. Unfortunately, as we demonstrate, in the modern app ecosystem where most apps fetch and render third-party web content, attackers can use ads for delivering attacks. In this paper, we introduce a novel attack vector that misuses the advertising ecosystem for delivering sophisticated and stealthy attacks that leverage mobile sensors. These attacks do not depend on any special app permissions or specific user actions, and affect all Android apps that contain in-app advertisements due to the improper access control of sensor data in WebView. We outline how motion sensor data can be used to infer users' sensitive touch input (e.g., credit card information) in two distinct attack scenarios, namely intra-app and inter-app data exfiltration. While the former targets the app displaying the ad, the latter affects every other Android app running on the device. To make matters worse, we have uncovered serious flaws in Android's app isolation, life cycle management, and access control mechanisms that enable persistent data exfiltration even after the app showing the ad is moved to the background or terminated by the user. Furthermore, as in-app ads can "piggyback" on the permissions intended for the app's core functionality, they can also obtain information from protected sensors such as the camera, microphone and GPS. To provide a comprehensive assessment of this emerging threat, we conduct a large-scale, end-to-end, dynamic analysis of ads shown in apps available in the official Android Play Store. Our study reveals that ads in the wild are already accessing and leaking data obtained from motion sensors, thus highlighting the need for stricter access control policies and isolation mechanisms.en
ΤύποςΠλήρης Δημοσίευση σε Συνέδριοel
ΤύποςConference Full Paperen
Άδεια Χρήσηςhttp://creativecommons.org/licenses/by/4.0/en
Ημερομηνία2023-06-02-
Ημερομηνία Δημοσίευσης2021-
Θεματική ΚατηγορίαAndroid in-app adsen
Θεματική ΚατηγορίαWebViewen
Θεματική ΚατηγορίαMobile HTML5en
Θεματική ΚατηγορίαSensor attacksen
Βιβλιογραφική ΑναφοράM. Diamantaris, S. Moustakas, L. Sun, S. Ioannidis and J. Polakis, “This sneaky piggy went to the Android ad market: misusing mobile sensors for stealthy data exfiltration,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS 2021), Virtual event, 2021, pp. 1065–1081, doi: 10.1145/3460120.3485366.en

Διαθέσιμα αρχεία

Υπηρεσίες

Στατιστικά