TY - JOUR
T1 - GUI-Squatting Attack
T2 - Automated Generation of Android Phishing Apps
AU - Chen, Sen
AU - Fan, Lingling
AU - Chen, Chunyang
AU - Xue, Minhui
AU - Liu, Yang
AU - Xu, Lihua
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2021
Y1 - 2021
N2 - Mobile phishing attacks, such as mimic mobile browser pages, masquerade as legitimate applications by leveraging repackaging or clone techniques, have caused varied yet significant security concerns. Consequently, detection techniques have been receiving increasing attention. However, many such detection methods are not well tested and may therefore still be vulnerable to new types of phishing attacks. In this article, we propose a new attacking technique, named GUI-Squatting attack, which can generate phishing apps (phapps) automatically and effectively on the Android platform. Our method adopts image processing and deep learning algorithms, to enable powerful and large-scale attacks. We observe that a successful phishing attack requires two conditions, page confusion and logic deception during attacks synthesis. We directly optimize these two conditions to create a practical attack. Our experimental results reveal that existing phishing defenses are less effective against such emergent attacks and may, therefore, stimulate more efficient detection techniques. To further demonstrate that our generated phapps can not only bypass existing detection techniques, but also deceive real users, we conduct a human study and successfully steal users' login information. The human study also shows that different response messages (e.g., 'Crash' and 'Server failed') after pressing the login button mislead users to regard our phapps as functionality problems instead of security threats. Extensive experiments reveal that such newly proposed attacks still remain mostly undetected, and are worth further exploration.
AB - Mobile phishing attacks, such as mimic mobile browser pages, masquerade as legitimate applications by leveraging repackaging or clone techniques, have caused varied yet significant security concerns. Consequently, detection techniques have been receiving increasing attention. However, many such detection methods are not well tested and may therefore still be vulnerable to new types of phishing attacks. In this article, we propose a new attacking technique, named GUI-Squatting attack, which can generate phishing apps (phapps) automatically and effectively on the Android platform. Our method adopts image processing and deep learning algorithms, to enable powerful and large-scale attacks. We observe that a successful phishing attack requires two conditions, page confusion and logic deception during attacks synthesis. We directly optimize these two conditions to create a practical attack. Our experimental results reveal that existing phishing defenses are less effective against such emergent attacks and may, therefore, stimulate more efficient detection techniques. To further demonstrate that our generated phapps can not only bypass existing detection techniques, but also deceive real users, we conduct a human study and successfully steal users' login information. The human study also shows that different response messages (e.g., 'Crash' and 'Server failed') after pressing the login button mislead users to regard our phapps as functionality problems instead of security threats. Extensive experiments reveal that such newly proposed attacks still remain mostly undetected, and are worth further exploration.
KW - android apps
KW - android GUI attacks
KW - Android phishing apps
UR - http://www.scopus.com/inward/record.url?scp=85119497684&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2019.2956035
DO - 10.1109/TDSC.2019.2956035
M3 - Article
AN - SCOPUS:85119497684
SN - 1545-5971
VL - 18
SP - 2551
EP - 2568
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 6
ER -