Browse > Article

A Phishing Attack using Website Fingerprinting on Android Smartphones  

Ahn, Woo Hyun (광운대학교 컴퓨터소프트웨어학과)
Oh, Yunseok (광운대학교 컴퓨터소프트웨어학과)
Pyo, Sang-Jin (광운대학교 컴퓨터소프트웨어학과)
Kim, Tae-Soon (광운대학교 컴퓨터소프트웨어학과)
Lim, Seung-Ho (한국외국어대학교 컴퓨터전자시스템공학부)
Oh, Jaewon (가톨릭대학교 컴퓨터정보공학부)
Publication Information
Convergence Security Journal / v.15, no.7, 2015 , pp. 9-19 More about this Journal
Abstract
The Android operating system is exposed to a phishing attack of stealing private information that a user enters into a web page. We have discovered two security vulnerabilities of the phishing attack. First, an always-on-top scheme allows malware to place a transparent user interface (UI) on the current top screen and intercept a user input. Second, the Android provides some APIs that allow malware to obtain the information of a currently visited web page. This paper introduces a phishing that attacks a web page by exploiting the two vulnerabilities. The attack detects a visit to a security-relevant web page and steals private information from the web page. Our experiments on popular web sites reveal that the attack is significantly accurate and dangerous.
Keywords
Android security; web browser; website fingerprinting; phishing;
Citations & Related Records
연도 인용수 순위
  • Reference
1 A. Hintz, "Fingerprinting websites using traffic analysis", Proceedings of the 2nd international conference on Privacy enhancing technologies, 2002.
2 M. Liberatore and B. Levine, "Inferring the source of encrypted HTTP connections", Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006.
3 A. Panchenko, L. Niessen, A. Zinnen, and T. Engel, "Website fingerprinting in onion routing based anonymization networks", Proceedings of the 10th ACM Workshop on Privacy in the Electronic Society, 2011.
4 T. Wang, X. Cai, R. Nitbyanand, and I. Goldberg, "Effective attacks and provable defenses for website fingerprinting", Proceedings of the USENIX Security Symposium, 2014.
5 X. Gu, M. Yang, and J. Luo, "A novel website fingerprinting attack against multi-tab browsing behavior", Proceedings of 19th IEEE International Conference on Computer Supported Cooper ative Work in Design, 2015.
6 S. Jana and V. Shmatikov, "Memento: learning secrets from process footprints", Proceedings of IEEE Symposium on Security and Privacy, 2012.
7 A. P. Felt and D. Wagner, "Phishing on mobile devices", Proceedings of the IEEE Web 2.0 Security and Privacy Workshop(W2SP), 2011.
8 R. Meier, "Professional android application development", CreateSpace Independent Publishing Platform, 2014.
9 Q. A. Chen, Z. Qian, and Z. M. Mao, "Peeking into your app without actually seeing it: UI state inference and novel Android attacks", Proceedings of the USENIX Security Symposium, 2014.
10 R. Prodduturi and D. B. Phatak, "Effective handling of low memory scenarios in Android using logs", Indian Institute of Technology, 2013.
11 닐슨 코리아클릭, http://www.koreanclick.com/information/freedata_rankings.php
12 Android developers, http://developer.android.com/reference/android/view/accessibility/AccessibilityEvent.html.