Abstract
The number of Android malware has been increasing dramatically in recent years. Android malware can violate users’ security, privacy and damage their economic situation. Study of new malware will allow us to better understand the threat and design effective anti-malware strategies. In this paper, we introduce a new type of malware exploiting Android’s accessibility framework and describe a condition which allows malicious payloads to usurp control of the screen, steal user credentials and compromise user privacy and security. We implement a proof of concept malware to demonstrate such vulnerabilities and present experimental findings on the success rates of this attack. We show that 100 % of application launches can be detected using this malware, and 100 % of the time a malicious Activity can gain control of the screen. Our major contribution is two-fold. First, we are the first to discover the category of new Android malware manipulating Android’s accessibility framework. Second, our study finds new types of attacks and complements the categorization of Android malware by Zhou and Jiang [21]. This prompts the community to re-think categorization of malware for categorizing existing attacks as well as predicting new attacks.
Highlights
The number of mobile malware samples has increased enormously over the past two years while mobile devices have become a ubiquitous tool in daily life
We provide the experimental results for detecting application launch and winning the race condition
In the Android versions we tested, application launch detection can be done for any application that defines a Launcher Activity
Summary
The number of mobile malware samples has increased enormously over the past two years while mobile devices have become a ubiquitous tool in daily life. With 92 percent of mobile malware being Android malware, analyzing and categorizing these malware are important steps toward predicting new attacks. Alongside analyzing and categorizing known malware samples, it is important to identify and fix vulnerabilities in the Android platform that may be used by creators of malicious applications. The malicious payload of the new malware can be a set of attacks, depending on which app a victim user launches. The malware detects the app launch via the Android accessibility service, displays a corresponding user interface imper-sonating the app, and performs credential collection or other malicious behavior. An Android application must contain one or more of the following four components: Activity, Service, Broadcast Receiver, and Content Provider [15]. Broadcast Receivers receive messages, in the form of data constructs called Intents, from the Android system or user applications. The exploit presented in this paper will focus on Activities and Services
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
