摘要
移动终端在飞速发展的同时也带来了安全问题,其中,口令是用户信息的第一道安全防线,因此针对用户口令的窃取攻击是主要的安全威胁之一.利用Android系统中Toast机制设计的缺陷,实现了一种基于Toast重复绘制机制的新型口令攻击.通过分析Android Toast机制的实现原理和功能特点,发现恶意应用可利用Java反射技术定制可获取用户点击事件的Toast钓鱼键盘.虽然Toast会自动定时消亡,但是由于Toast淡入淡出动画效果的设计缺陷,恶意应用可优化Toast绘制策略,通过重复绘制Toast钓鱼键盘使其长时间驻留并覆盖于系统键盘之上,从而实现对用户屏幕输入的隐蔽劫持.最后,攻击者可以通过分析用户点击在Toast钓鱼键盘上的坐标信息,结合实际键盘布局推测出用户输入的口令.在移动终端上实现该攻击并进行了用户实验,验证了该攻击的有效性、准确性和隐蔽性,结果表明:当口令长度为8时,攻击成功率为89%.发现的口令漏洞已在Android最新版本中得到修复.
The mobile platform is rapidly emerging as one of the dominant computing paradigms of the last decades. However, there are also security issues that can work against mobile platforms. Being the first line of defense of various cyber attacks against mobiles,password protection serves an import role in protecting users’ sensitive data. The offensive and defensive techniques related to passwords,therefore, gained a lot of attention. This work systematically studied the design flaws existing in the Android Toast mechanism and discovered a new type of vulnerability leveraging on Toast fade-in and fade-out animation, where malware can create a strategy of continuously displaying keyboard-like Toast views to capture the user’s inputs stealthily, thereby stealing the user’s password. The attackhas implemented, and extensive user experiments are performed to demonstrate its effectiveness, accuracy, and stealthiness. The results show that when the password length is 8, the attack success rate can reach up to 89%. It has also confirmed that the latest Android system has patched this vulnerability.
作者
凌振
杨彦
刘睿钊
张悦
贾康
杨明
LING Zhen;YANG Yan;LIU Rui-Zhao;ZHANG Yue;JIA Kang;YANG Ming(School of Computer Science and Engineering,Southeast University,Nanjing 211189,China;College of Cyber Security,Jinan University,Guangzhou 510632,China)
出处
《软件学报》
EI
CSCD
北大核心
2022年第6期2047-2060,共14页
Journal of Software
基金
国家重点研发计划(2018YFB0803400)
国家自然科学基金(62022024,61972088,62072103,62072098)
江苏省自然科学基金优青项目(BK20190060)。
