Abusing Notification Services on Smartphones for Phishing and Spamming Zhi Xu Sencun Zhu Department of Computer Science & Engineering Department of Computer Science & Engineering Pennsylvania State University College of Information Sciences & Technology [email protected] Pennsylvania State University [email protected] ! ABSTRACT Table 1: A summary of experimental results( means feasible and #means infeasible) Notification service is a popular functionality provided by almost Send Anonymous Navigate To Platforms all modern smartphone platforms. To facilitate customization for Notifications Fraudulent View developers, many smartphone platforms support highly customiz- Android 2.3 ! ! able notifications, which allow the third party applications to spec- Android 4.0 ! ! ify the trigger events, the notification views to be displayed, and the ! ! allowed user operations on the notification views. BlackBerry OS 7 In this paper, we show that notification customization may allow iOS 5 # # an installed trojan application to launch phishing attacks or anony- Jailbroken iOS 5 ! ! mously post spam notifications. Through our studies on four major Windows Phone 7.1 # ! smartphone platforms, we show that both Android and BlackBerry OS are vulnerable under the phishing and spam notification attacks. impacts on the current smartphone market. iOS and Windows Phone allow little notification customization, Notification service is a system service provided by the smart- thus launching the phishing and spam attacks will expose the iden- phone platform to both system and third party applications. It al- tity of the trojan application. Attack demonstrations on all plat- lows a notification sender application to notify the smartphone user forms are presented. with a notification view when a trigger event happens. Common To prevent the phishing and spam notification attacks while still notifications include system update notifications, battery shortage allowing notification customization, we propose a Semi-OS-Controlled notifications, and calender reminder notifications. notification view design principle and a Notification Logging ser- Despite the differences in the design and implementation of dif- vice. Moreover, to protect applications from fraudulent views, we ferent smartphone platforms, a notification can be described by propose a view authentication framework, named SecureView, which three elements: the Trigger Event that fires the notification; the enables the third party applications to add the authentication im- Notification View that is displayed on the screen; and the Allowed age and text to their sensitive views (e.g. the account login view). User Operations that defines the invoked actions when a user oper- The implementation and demonstrations of proposed defense ap- ates on the displayed notification view. proaches on Android are also presented in the paper. To facilitate the application development, many smartphone plat- forms allow the third party applications to send customized notifi- cations. For example, Android and BlackBerry allow third party 1. INTRODUCTION applications to submit a customized view object in the notification Phishing and spam attacks are two of the most successful and view. iOS and Windows Phone, being less customizable, only al- profitable attacks [1, 2]. Both attacks have achieved great success low submitting text content. On all these four smartphone plat- through traditional medias, such as email, web, and instant mes- forms, a sender application can trigger notifications when it is not saging. With the fast growth of smartphone markets, we have seen running in the foreground. more and more attempts to launch phishing and spam attacks on Notification customization is widely endorsed by the developer popular smartphone platforms [3, 4, 5]. According to the statistical communities. However, an installed third party application may results in Trusteer report [6], smartphone users are more vulner- abuse the notification customization to send anonymous notifica- able to phishing and spam attacks due to the constrained UI on tions or fraudulent notifications. The anonymous notifications can smartphones. However, most existing phishing and spam attacks be used to distribute unsolicited advertisements, and the fraudulent on smartphones still rely on traditional media, such as SMS [7], notifications can be used to launch phishing attacks against other mobile email [6] and mobile web [4]. Studies are needed regarding installed applications. For example, a trojan application may gener- launching phishing and spam attacks with new features provided ate a fraudulent notification that mimics the Facebook notification by modern smartphone platforms. and leads the user to a fraudulent login view. In this paper, we examine the notification service of four most Our studies on Android and BlackBerry OS show that it is fea- popular smartphone platforms [8], and investigate the feasibility sible for a trojan application to launch both phishing and spam at- for an installed trojan application to distribute phishing notifica- tacks using notification services while hiding among other appli- tions or anonymous spam notification on these platforms. The cations. Through attack demonstrations, we show that a common selected smartphone platforms include Android (version 2.3 and third party application can be easily modified to become a trojan 4.0), BlackBerry OS (version 7), iOS (version 5), and Windows application capable of launching the proposed phishing and spam Phone (version 7.1). According to comScore’s latest report [8], the notification attacks. According to the market share report [8], the selected four smartphone platforms cover 98% share of the U.S. combined market share of Android and BlackBerry OS is about smartphone market. Therefore, our results should have immediate 63.4% in US. On iOS and Windows Phone, due to their limited cus- 1 tomizations, launching the phishing and spam attacks will expose the identity of a trojan application. A summary of our experimental results is shown in Table 1. Further, approaches for stealthy content distribution are discussed to help the proposed trojan applications bypass the application review process of the application store. To prevent the phishing and spam attacks while still allowing notification customization, we propose three defense approaches. First of all, for smartphone platforms, we propose a new Semi- OS-Controlled design principle for the notification view. A Semi- OS-Controlled notification view contains a customizable subview controlled by the sender application, and a wrapper frame that is under control of the smartphone platform. To prevent the phishing Figure 2: A comparison of OS-Controlled and App-Controlled and spam attacks, the wrapper frame contains the authentication notification views information of the sender application. 2.2 Notification Customization Secondly, we propose a notification logging service that records For notification customization, a sender application specifies a posted notifications with sender authentication information, so that notification from three aspects: (1) the trigger event that will fire an user can review any suspicious notifications that were posted. this notification, (2) the content to display in this notification, and Thirdly, we propose a view authentication framework, named Se- (3) the allowed user operations on this notification. cureView, which enables a third party application to prevent phish- Trigger Event: The trigger event is an event that fires the noti- ing notification attacks by adding an authentication image and text fication. It could be a system event (e.g. scheduled alarms), or an to its sensitive views (e.g. the account login view). application event generated by an application service running in the The contributions of paper are summarized as follows: background. The flexibility on notification triggering allows a tro- • To the best of our knowledge, we are the first to discuss the jan application to fire anonymous notifications when it is not run- feasibility of launching phishing attacks using the notifica- ning in the foreground. For example, on Android, a sender appli- tion service on smartphones. • We present detailed designs, implementations, and demos cation can fire notifications whenever the screen is turned on with on how to launch phishing and spam attacks on four major the Intent.ACTION_SCREEN_ON intent broadcasted by OS. smartphone platforms. Notification View: The Notification View represents the displayed • We present three feasible defense approaches that can be eas- view of a notification. It carries the content that the sender applica- ily applied on existing smartphone platforms, and present the tion wants to show on the screen, such as a text message, an image, implementations of the proposed approaches on Android. or even a complex subview. By the control of displayed contents, We hope our proactive security study will draw attention of smart- the notification views in existing notification services can be cate- phone users as well as platform vendors. gorized into two groups, OS-Controlled and App-Controlled. In OS-Controlled notification views, the layout of a notification 2. SMARTPHONE NOTIFICATION SERVICE view is fixed and the sender application can only pass a text mes- sage to display. For example, in the Notification Alert on iOS 5 2.1 Overview (shown in Figure 2(1)), the only thing that the sender application A notification is a message dialog that is shown on the surface of can control is the text message shown in the notification view. a smartphone
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages11 Page
-
File Size-