GUI-Squatting Attack: Automated Generation of Android Phishing Apps

Chen, Sen; Fan, Lingling; Chen, Chunyang; Xue, Minhui; Yang, Lan; Xu, Li-Hua

doi:10.1109/tdsc.2019.2956035

Cited by 43 publications

(22 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…unlike the central guardians of the cloud server, on-device models may be more vulnerable inside users' phones. For example, most model files can be obtained by decompiling Android apps without any obfuscation or encryption [18], [49]. Such model files may be exposed to malicious attacks.…”

Section: Corresponding Authormentioning

confidence: 99%

Robustness of on-Device Models: Adversarial Attack to Deep Learning Models on Android Apps

Yujin

Chen

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Self Cite

View full text Add to dashboard Cite

Deep learning has shown its power in many applications, including object detection in images, natural-language understanding, and speech recognition. To make it more accessible to end users, many deep learning models are now embedded in mobile apps. Compared to offloading deep learning from smartphones to the cloud, performing machine learning on-device can help improve latency, connectivity, and power consumption. However, most deep learning models within Android apps can easily be obtained via mature reverse engineering, while the models' exposure may invite adversarial attacks. In this study, we propose a simple but effective approach to hacking deep learning models using adversarial attacks by identifying highly similar pre-trained models from TensorFlow Hub. All 10 real-world Android apps in the experiment are successfully attacked by our approach. Apart from the feasibility of the model attack, we also carry out an empirical study that investigates the characteristics of deep learning models used by hundreds of Android apps on Google Play. The results show that many of them are similar to each other and widely use fine-tuning techniques to pre-trained models on the Internet.

show abstract

Section: Corresponding Authormentioning

confidence: 99%

Robustness of on-Device Models: Adversarial Attack to Deep Learning Models on Android Apps

Yujin

Chen

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…In this section, we elaborate on the attack in which an adversary can deceive users and obtain the SMS OTP message through a malicious installed app without any SMS-related permissions. Different from the previous phishing attacks in which the malicious app mimics the authentic UI and steal user inputs [14], [20], here, we focus on understanding how the newly introduced user-interactionbased mechanisms (e.g., the One-Tap mechanism) can affect the efficacy of UI deception attacks. Specifically, we first elaborate on the attack scenario and its root cause.…”

Section: Getting Sms Otps By Deceiving Usersmentioning

confidence: 99%

“…Following this line of research, in earlier years, research highlighted various attack channels. This includes physical access to the device [46], mobile malware which steals the SMS OTP message by requesting the less-restricted SMS permissions [12], as well as phishing attacks [9], [13], [14] that can get the SMS OTP code from the user input. Different from prior research, we systematically studied the practical ways an adversary can use to obtain the SMS OTP message through a malicious app running on a victim's device, dealing with the various new features introduced in modern mobile operating systems.…”

Section: Related Workmentioning

confidence: 99%

On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

Zeng¹,

Nan

Fratantonio

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…From this analysis, a GUI is generated by combining code snippets for each element, trying to mimic the real app as closely as possible. Deception code is then introduced, which siphons the user's personal details to a remote server and generates a pop-up to mislead the user into believing that the issue is a technical issue with the app rather than a security threat [71]. This method has been proved to bypass many modern anti-phishing techniques including layout similarity, visual similarity, personalized indicators, and window integrity methods.…”

Section: Gui-squattingmentioning

confidence: 99%

Phishing Attacks Survey: Types, Vectors, and Technical Approaches

Alabdan

2020

Future Internet

130

View full text Add to dashboard Cite

Phishing attacks, which have existed for several decades and continue to be a major problem today, constitute a severe threat in the cyber world. Attackers are adopting multiple new and creative methods through which to conduct phishing attacks, which are growing rapidly. Therefore, there is a need to conduct a comprehensive review of past and current phishing approaches. In this paper, a review of the approaches used during phishing attacks is presented. This paper comprises a literature review, followed by a comprehensive examination of the characteristics of the existing classic, modern, and cutting-edge phishing attack techniques. The aims of this paper are to build awareness of phishing techniques, educate individuals about these attacks, and encourage the use of phishing prevention techniques, in addition to encouraging discourse among the professional community about this topic.

show abstract

GUI-Squatting Attack: Automated Generation of Android Phishing Apps

Cited by 43 publications

References 50 publications

Robustness of on-Device Models: Adversarial Attack to Deep Learning Models on Android Apps

Robustness of on-Device Models: Adversarial Attack to Deep Learning Models on Android Apps

On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

Phishing Attacks Survey: Types, Vectors, and Technical Approaches

Contact Info

Product

Resources

About