diff --git a/Data/Developer Email.md b/Data/Developer Email.md new file mode 100644 index 0000000..c7af447 --- /dev/null +++ b/Data/Developer Email.md @@ -0,0 +1,18 @@ +# Developer Email + +Dear * Application Development Team: + +​ Hello, we have discovered a security vulnerability that could lead to the leakage of user information to malicious attackers. + +​ The security vulnerability is valid for applications within Android mobile devices. The specific threat scenario is that the malware plays a video on the user's device in a small window mode, and it listens for the name of the running foreground application. When it detects that your application is running and it enters a page with sensitive information (e.g. login page, payment page), the malware will pop up a phishing page to overlay on top of the original page and trick the user into entering their information credentials. + +​ This process will be shown step-by-step within the recorded screen in Annex I. In order to be able to show more clearly the effect of being overwritten by a phishing page, we set a slight difference between the phishing page and the original page: the position of the control layout is shifted down/a Text text is added. Because of this setting, the interface undergoes a short jump when a phishing attack occurs. In a real threat scenario to the user, this jump would be removed. +​ To address this security vulnerability, we provide you with several suggested security fixes: +(1) When your own application goes into the background, a Toast pops up to alert the user that the application has been switched to the background. +(2) When your application enters the background, a notification panel pops up to alert the user that the application has been switched to the background. +(3) Call startActivity method several times when entering sensitive page, so that you can call your own page again when hijacking occurs to realize anti-hijacking. +​ I hope the suggestions in this email can be adopted. + +​ * + +​ May 29, 2023 \ No newline at end of file diff --git a/Data/RQ2.xlsx b/Data/RQ2.xlsx new file mode 100644 index 0000000..6310c96 Binary files /dev/null and b/Data/RQ2.xlsx differ diff --git a/Data/RQ4.xlsx b/Data/RQ4.xlsx new file mode 100644 index 0000000..4f12bd3 Binary files /dev/null and b/Data/RQ4.xlsx differ diff --git a/Data/User Survey Questionnaire.md b/Data/User Survey Questionnaire.md new file mode 100644 index 0000000..29eaa3f --- /dev/null +++ b/Data/User Survey Questionnaire.md @@ -0,0 +1,188 @@ +# User Survey Questionnaire + +## 1 Picture-In-Picture mode + +​ Using the picture-in-picture mode in the multi-view scheme, we implemented three attacks. Picture-in-picture is a feature provided by Android to video software that allows the video to play in a small window, enabling the user to continue watching the video while using other applications. + +### (1) Picture-in-Picture Attack 1: Picture-in-Picture Hijacking Attack + +​ The purpose of this attack is to use the malicious video prepared by the attacker to hijack the small window where the video is playing, so that the original video being played is replaced. +​ For example, when a user is watching a video in a small window to learn the safe operation of a product, the malicious attacker can replace the original safe operation video with a video designed for wrong operation. + +​ *there is FS2PIP.mp4.* + +​ In this video, the video played by "Aiqiyi" runs in a small window. Then, when the user uses malware disguised as a normal application (in this demo video, the malware is disguised as a novel reader), the malware replaces the running video with a video designed by the attacker in advance. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think picture-in-picture hijacking attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +### (2) Picture-in-Picture Attack 2: Mode Forced Conversion Attack + +​ The purpose of this attack is to pop up a phishing page above the attacked software. The phishing page is identical to the page of the attacked software and is used to trick users into actively entering their account password/payment code. In this attack, the malware disguises itself as a normal video software and runs in a small window in picture-in-picture mode, launching the attack when it finds the target to be attacked running. +​ For example, it attacks the login and payment interfaces of Alipay, and the login and payment interfaces of banking software. The malware demonstrated in the following video uses Alipay as the target. + +​ *there is PIP2FS@SaS.mp4.* + +​ In this video, the malware disguises itself as video software and plays "The Newsroom" in a small window. When the software the user is using is not the target of the malware, the malware will continue to play the video normally, such as the "Bank of Communications" opened in the video, which did not trigger the malware attack. When the user opens "Alipay", the malware will overlay the phishing page on top of the original Alipay login interface, as shown in the video 21-25 seconds. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think mode forced conversion attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +### (3) Picture-in-Picture Attack 3: Task Move Attack + +​ The purpose of this attack is the same as Picture-in-Picture Attack 2. The malware is also disguised as a video software, and the malware initiates the attack when the target to be attacked is found running. +​ The malware demonstrated in the video uses Alipay as the target of the attack. + +​ *there is PIP2FS@RaR.mp4.* + +​ In this video, the malware disguises itself as video software and plays "Old Friends" in a small window. When the user opens Alipay, the malware overlays the phishing page on top of the original Alipay login screen, as shown in seconds 13-16 of the video. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think task move attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +## 2 FreeForm + +​ Using the free window mode in the multi-view scheme, we implemented three attacks. Free windowing is a feature provided by Android to manufacturers of devices (phones, tablets, etc.) that allows applications to run in a small windowed mode, allowing the user to operate two applications on the screen at the same time. + +### (1) FreeForm Attack 1: Web Page Orientation Attack + +​ The malware containing this attack will run in free window mode. When the target to be attacked is found open, it will directly pop up the browser and direct it to a phishing page created by the attacker in advance. The phishing page will be designed to resemble the target's web-side page to trick the user into entering account passwords/payment codes. Additionally, the attack will also display an alert pop-up with the logo of the target to be attacked, which will be used to deceive the user. + +​ *there is FF2FS@WT.mp4.* + +​ In this video, the malware runs in a small window disguised as pixel graffiti software. When the user is using software that is not our target, the malware will continue to run normally, such as the "Bank of Communications" opened in the video, which did not trigger the malware attack. When the user opens "Alipay", the malware will open the browser, direct the webpage to the phishing link set by the attacker, and pop up a window to tell the user to log in to "Alipay" using the webpage, as shown in the video from 12 to 17 seconds. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think web page orientation attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +### (2) FreeForm Attack 2: Conversion Hijacking Attack + +​ The application containing this attack will masquerade as a browser application and run in free window mode. When the target of the attack is found open, the malware will open the browser in a full-screen interface and direct the URL to the web page originally viewed on the malware. In addition, the malware's display will jump to a phishing page with a pop-up message telling the user to "For security reasons, in multi-window scenarios, please use a small window to login/pay". +​ The malware demonstrated in the video below targets Alipay. + +​ *there is FF2FS@PR.mp4.* + +​ In this video, the malware runs in a small window disguised as browser software. When the user is using software that is not our target, the malware will continue to run normally, such as "Bank of Communications" opened in the video, which does not trigger the malware attack. When the user opens "Alipay", the malware opens the browser and directs the webpage to the page that the malware is browsing (in this demo video, the page is the Android developer guide page). When the malware jumps to the phishing page, a pop-up window will appear to tell the user to log in to Alipay using a small window, as shown in seconds 16-21 of the video. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think conversion hijacking attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +### (3) FreeForm Attack 3: FreeForm Hijacking Attack + +​ This attack targets the hijacking of applications running in small windows, and the malware will run in full screen. When the target is found to be open, the malware will jump to a phishing page and pop up a prompt to tell the user "To provide a secure environment, please log in using the login screen on the main screen". +​ The malware demonstrated in the video below targets Alipay. + +​ *there is FS2FF.mp4.* + +​ In this video, the malware runs on the home screen disguised as an Arxiv paper reader. When the user opens Alipay, the malware jumps to a phishing page and pops up a window telling the user to use the home screen to log into Alipay, as shown in the video from 9 to 14 seconds. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think freeform hijacking attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +## 3 Split-Screen + +​ Using the split-screen mode in the multi-view scheme, we implemented a hijacking attack. Split-screen mode is a feature provided by Android to manufacturers of devices (phones, tablets, etc.) that allows two apps to occupy half of the screen each, allowing the user to operate two apps at the same time. + +### (1) Split-Screen Attack 1: Force Close Split-Screen Attack + +​ This attack aims to attack the application running in the other half of the screen. When the target is found to be open, the malware will force the user to exit the split-screen mode, enter the full-screen mode, and jump to the phishing page. In addition, a pop-up window will appear telling the user to "please log in using the full-screen app". +​ The malware demonstrated in the video below targets Alipay. + +​ *there is SS2FS.mp4.* + +​ In this video, the malware is disguised as an exchange rate calculator running on one of the split-screen screens. When the user opens "Alipay", the malware will force the user to exit the split-screen mode, jump to a phishing page, and pop up a window telling the user that "for security reasons, please use the main screen to log in to Alipay", as shown in the video from 7 to 12 seconds. + +​ **If you are a user with malware, how likely do you think you are to be tricked by that hijack?** + +| 1 | 2 | 3 | 4 | 5 | +| :------------------: | :--------: | :------: | :-----------: | :------: | +| Extremely Impossible | Impossible | Possible | Very Possible | Definite | + +​ **How harmful do you think force close split-screen attack are in the real world?** + +| 1 | 2 | 3 | 4 | 5 | +| :---------: | :---------: | :-----: | :----------: | :---------------: | +| Not Harmful | Low Harmful | Harmful | Very Harmful | Extremely Harmful | + +## 4 Multi-window solutions + +​ **Do you often use multi-window solutions in mobile devices?** + +| 1 | 2 | 3 | 4 | 5 | +| :--------------: | :----: | :-------: | :--------: | :-------------: | +| Extremely Seldom | Seldom | Sometimes | Frequently | Very Frequently | + +​ **Do you often use picture-in-picture mode in mobile devices?** + +| 1 | 2 | 3 | 4 | 5 | +| :--------------: | :----: | :-------: | :--------: | :-------------: | +| Extremely Seldom | Seldom | Sometimes | Frequently | Very Frequently | + +​ **Do you often use freeform mode in mobile devices?** + +| 1 | 2 | 3 | 4 | 5 | +| :--------------: | :----: | :-------: | :--------: | :-------------: | +| Extremely Seldom | Seldom | Sometimes | Frequently | Very Frequently | + +​ **Do you often use split-screen mode in mobile devices?** + +| 1 | 2 | 3 | 4 | 5 | +| :--------------: | :----: | :-------: | :--------: | :-------------: | +| Extremely Seldom | Seldom | Sometimes | Frequently | Very Frequently | + +​ **Could you please share your feelings about the security of the Android Multi-window solutions? After learning about these attacks, would you still use the features provided by the Android Multi-window solutions? (not mandatory answer)** + diff --git a/README.md b/README.md index ef21eb9..4d5ff54 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,124 @@ -# Multi-windows -Multi-windows security research data warehouse for Android mobile applications. +# Multi-window Hijacking +As demonstrated recently, Android's multi-window solutions can be plagued by special Activity hijacking. In these attacks, malicious applications launch phishing attacks by replacing their own `HijackingActivity` with the legitimate top Activity of the target application by means of inter-window transmissions. -Screen recording files documenting attacks, exceptions, and permissions related to this project are posted at: https://space.bilibili.com/1981713711/video +The repository contains source code for seven types of Multi-window Hijacking, simulation tests on popular marketplace applications, and two recorded screens of the hijacking. + +## Approach Overview + +Multi-window hijacking includes 7 kinds of hijacking, 3 kinds of hijacking in `Picture-In-Picture (PIP)` mode [`PIP2FS@RaR`, `PIP2FS@SaS`, `FS2PIP`], 3 kinds of hijacking in `Freeform (FF)` mode [`FF2FS@PR`, `FF2FS@WT` , `FS2FF`], and 1 hijack in `SplitScreen(SS)` mode [`SS2FS`]. + +![the picture is missing](./images/overview.png) + +## Artifacts Elements + +### Experimental Infrastructure + +Here is the outline of the directory. + +| . | | +| -------------------------------------- | ------------------------------------------------------------ | +| +-- Data | Test data of the experiment | +| +-- RQ2 | Experimental data for RQ2 | +| +-- RQ4 | User survey results for RQ4 | +| +-- Security | Information on multi-window hijacking | +| +-- Code.Phishing Hijacking | Source code for multi-window hijacking | +| +-- ExitFFStack | Source code for FF2FS@WT | +| +-- ExitSwitchFFStack | Source code for FF2FS@PR | +| +-- FFPishing | Source code for FS2FF | +| +-- PIPDemo | Source code for PIP2FS@SaS | +| +-- PIPMoveStack | Source code for PIP2FS@RaR | +| +-- PIPPishing | Source code for FS2PIP | +| +-- SSPhishing | Source code for SS2FS | +| +-- Screen Recording | Screen recording for multi-window hijacking | +| +-- PIPDemo-Android T Pixel 6 Pro | Screen recording of PIP2FS@SaS running on a Pixel 6 Pro VM equipped with Android T | +| +-- PIPMoveStack-Android T-Pixel 6 Pro | Screen recording of PIP2FS@RaR running on a Pixel 6 Pro VM equipped with Android T | + +### Source Code + +The code stored in this repository can be run on both real devices and virtual machines running Android 12 (Android S)/Android 13 (Android T) and supporting multi-window solutions. + +#### PIP2FS@RaR + +Here is the outline of the directory. + +| .app/src/main/java/com/example/pipmovestack | | +| ------------------------------------------- | ------------------------------------------------------- | +| +-- MonitorList.java | List of monitoring target activities | +| +-- MonitorService.java | Service for monitoring | +| +-- VideoActivity.java | Activity used for video playback and also for hijacking | + +#### PIP2FS@SaS + +Here is the outline of the directory. + +| .app/src/main/java/com/example/pipdemo | | +| -------------------------------------- | ------------------------------------------- | +| +-- AnotherVideoActivity.java | the second Activity used for video playback | +| +-- HijackActivity.java | Activity used for hijacking | +| +-- MonitorList.java | List of monitoring target activities | +| +-- MonitorService.java | Service for monitoring | +| +-- VideoActivity.java | Activity used for video playback | + +#### FS2PIP + +Here is the outline of the directory. + +| .app/src/main/java/com/example/pippishing | | +| ----------------------------------------- | ---------------------------------------------- | +| +-- HijackActivity.java | Activity used for hijacking | +| +-- MainActivity.java | Activity that disguises itself as a normal app | + +#### FF2FS@WT + +Here is the outline of the directory. + +| .app/src/main/java/com/example/exitffstack | | +| ------------------------------------------ | ------------------------------------------------------------ | +| +-- MainActivity.java | The activity that disguises itself as a normal app and can open hijacked web page | +| +-- MonitorList.java | List of monitoring target activities | + +#### FF2FS@PR + +Here is the outline of the directory. + +| .app/src/main/java/com/example/exitswitchffstack | | +| ------------------------------------------------ | ------------------------------------------------------------ | +| +-- HijackActivity.java | Activity used for hijacking | +| +-- MainActivity.java | Activity that disguises itself as a normal app and can open hijacked web page | +| +-- MonitorList.java | List of monitoring target activities | + +#### FS2FF + +Here is the outline of the directory. + +| .app/src/main/java/com/example/ffpishing | | +| ---------------------------------------- | ---------------------------------------------- | +| +-- HijackActivity.java | Activity used for hijacking | +| +-- MainActivity.java | Activity that disguises itself as a normal app | +| +-- MonitorList.java | List of monitoring target activities | + +#### SS2FS + +Here is the outline of the directory. + +| .app/src/main/java/com/example/ssphishing | | +| ----------------------------------------- | ---------------------------------------------- | +| +-- MainActivity.java | Activity that disguises itself as a normal app | +| +-- Monitorlist.java | List of monitoring target activities | +| +-- PhishingActivity.java | Activity used for hijacking | + +## Evaluation + +### Evaluation Subjects + +Our RQ2 experiments involved popular market applications, tested on real/virtual devices running Android 12 (Android S)/Android 13 (Android T). The popular market apps we tested included five categories (banking software, financial software, storage software, video software, shopping software). Starting from September 9, 2022, we collected 274 apps with over one million downloads from four widely used app markets in China (`Tencent App Store`, `Huawei App Gallery`, `Vivo App Store`, and `Xiaomi App Store`). + +In the `Hijacked Page` tab, we included the names, categories, target Activity names, purposes of the 274 applications, and whether the app supports FF and SS modes. In the remaining 6 tabs corresponding to hijacks other than `FS2PIP`, there are test results for 233 popular apps (excluding video software) along with notes on the testing conditions (symptoms of failure and situations where there were prompts but the operation was successful). In the `FS2PIP` tab, there are 41 video software app names, whether they support PIP mode, target Activity names, test results, and notes. In the `Defence Test` tab, it includes whether all apps have defense strategies, the classification of defense strategies, and experimental data explanations. + +Our RQ4 survey included 231 undergraduate students and teachers with a background in computer science, and we also uploaded our survey questionnaire template. For our developer email survey, we contacted 12 development teams or security teams of popular market applications. Due to privacy and security concerns, we did not upload their responses but only submitted our email templates. + +The `Deception of hijacking`, `Security Analysis`, `Details` tabs contain data consistent with what is mentioned in our paper. In the `FeedBacks` tab, there are 63 user feedback on the security of multi-window solutions as mentioned in our paper. + +## Notes + +- This implementation has been tested with two real devices. **Device1:** Vivo IQOO 10 with OriginOS 13.2 of Android 13 (API 33), 512G storage, Snapdragon 8 plus with 8-core CPU and 12 + 8G memory. **Device2:** Oppo Reno Ace with ColorOS 12.1 of Android 12 (API 31), 512G storage, Snapdragon 855 plus with 8-core CPU and 12 + 8G memory. diff --git a/images/overview.png b/images/overview.png new file mode 100644 index 0000000..898ad45 Binary files /dev/null and b/images/overview.png differ