Institutional Repository [SANDBOX]
Technical University of Crete
EN  |  EL

Search

Browse

My Space

This sneaky piggy went to the Android ad market: misusing mobile sensors for stealthy data exfiltration

Diamantaris Michalis, Moustakas Serafeim, Sun Lichao, Ioannidis Sotirios, Polakis Jason

Simple record


URIhttp://purl.tuc.gr/dl/dias/0082810F-A41F-4DD8-A26D-BD3E213E4E3A-
Identifierhttps://doi.org/10.1145/3460120.3485366-
Identifierhttps://dl.acm.org/doi/10.1145/3460120.3485366-
Languageen-
Extent17 pagesen
TitleThis sneaky piggy went to the Android ad market: misusing mobile sensors for stealthy data exfiltrationen
CreatorDiamantaris Michalisen
CreatorMoustakas Serafeimen
CreatorSun Lichaoen
CreatorIoannidis Sotiriosen
CreatorΙωαννιδης Σωτηριοςel
CreatorPolakis Jasonen
PublisherAssociation for Computing Machinery (ACM)en
Content SummaryMobile sensors have transformed how users interact with modern smartphones and enhance their overall experience. However, the absence of sufficient access control for protecting these sensors enables a plethora of threats. As prior work has shown, malicious apps and sites can deploy a wide range of attacks that use data captured from sensors. Unfortunately, as we demonstrate, in the modern app ecosystem where most apps fetch and render third-party web content, attackers can use ads for delivering attacks. In this paper, we introduce a novel attack vector that misuses the advertising ecosystem for delivering sophisticated and stealthy attacks that leverage mobile sensors. These attacks do not depend on any special app permissions or specific user actions, and affect all Android apps that contain in-app advertisements due to the improper access control of sensor data in WebView. We outline how motion sensor data can be used to infer users' sensitive touch input (e.g., credit card information) in two distinct attack scenarios, namely intra-app and inter-app data exfiltration. While the former targets the app displaying the ad, the latter affects every other Android app running on the device. To make matters worse, we have uncovered serious flaws in Android's app isolation, life cycle management, and access control mechanisms that enable persistent data exfiltration even after the app showing the ad is moved to the background or terminated by the user. Furthermore, as in-app ads can "piggyback" on the permissions intended for the app's core functionality, they can also obtain information from protected sensors such as the camera, microphone and GPS. To provide a comprehensive assessment of this emerging threat, we conduct a large-scale, end-to-end, dynamic analysis of ads shown in apps available in the official Android Play Store. Our study reveals that ads in the wild are already accessing and leaking data obtained from motion sensors, thus highlighting the need for stricter access control policies and isolation mechanisms.en
Type of ItemΠλήρης Δημοσίευση σε Συνέδριοel
Type of ItemConference Full Paperen
Licensehttp://creativecommons.org/licenses/by/4.0/en
Date of Item2023-06-02-
Date of Publication2021-
SubjectAndroid in-app adsen
SubjectWebViewen
SubjectMobile HTML5en
SubjectSensor attacksen
Bibliographic CitationM. Diamantaris, S. Moustakas, L. Sun, S. Ioannidis and J. Polakis, “This sneaky piggy went to the Android ad market: misusing mobile sensors for stealthy data exfiltration,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS 2021), Virtual event, 2021, pp. 1065–1081, doi: 10.1145/3460120.3485366.en

Available Files

Services

Statistics