Abstract
To avoid the inconvenience of retyping a user's ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim's account, which causes more devastating and covert losses than merely intercepting the user's password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps' accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.
Highlights
N OWADAYS, most of the existing mobile apps support automatic login mechanism [1]–[5], which reduces the hassle of typing user ID and password in a small keyboard and optimizes the users experiences
The automatic login mechanism depends on the login credentials, which is returned by the server and stored locally when the users log into the accounts for the first time
EVALUATION We evaluate the effectiveness of the data-clone attack by cloning the intercepted private data to the attacker’s real machine environment, Xposed-based custom environment, and CloneDroid environment and checking the status of the app that restored the login state
Summary
N OWADAYS, most of the existing mobile apps support automatic login mechanism [1]–[5], which reduces the hassle of typing user ID and password in a small keyboard and optimizes the users experiences. AUTOMATIC LOGIN MECHANISM OF APPS Usually, due to Android’s small-scale touchscreen limiting one app to running in a smartphone’s foreground, users frequently switch to other apps in the background Considering these limitations of smartphone resources, if multiple apps exist in the background for a long time, they may be killed by the system or users to release resources. We selected 175 apps to check the automatic login function and found that 174 apps are available
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
