Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks.In this paper, we develop VPDroid, a transparent Android OSlevel virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps.
Our experiments on five different virtual phone environmentsshow that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack.
I. In t r o d u c t io nWith the prosperous development of the Android system and mobile networks [1], [2], the apps running on Android keep updating constantly to meet the fast-growing demand of smartphone users. In addition to the standard functionalities such as communication and entertainment, apps are now performing various critical tasks such as social networking [3], GPS navigation [4], IoT device remote control [5], and mobile payment [6]. Inevitably large amounts of private data (e.g., user credentials) are stored in the smartphone. Therefore, the
