Android Data-Clone Attack via Operating System Customization

Wenna Song; Ming Jiang; Han Yan; Yi Xiang; Yuan Chen; Yuan Luo; Kun He; Guojun Peng

doi:10.1109/ACCESS.2020.3035089

IEEE Access (Jan 2020)

Android Data-Clone Attack via Operating System Customization

Wenna Song,
Ming Jiang,
Han Yan,
Yi Xiang,
Yuan Chen,
Yuan Luo,
Kun He,
Guojun Peng

Affiliations

Wenna Song: ORCiD; Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China
Ming Jiang: ORCiD; Computer Science and Engineering Department, The University of Texas at Arlington, Arlington, TX, USA
Han Yan: ORCiD; Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China
Yi Xiang: Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China
Yuan Chen: Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China
Yuan Luo: ORCiD; Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China
Kun He: ORCiD; Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China
Guojun Peng: ORCiD; Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China

DOI: https://doi.org/10.1109/ACCESS.2020.3035089
Journal volume & issue: Vol. 8
pp. 199733 – 199746

Abstract

Read online

To avoid the inconvenience of retyping a user's ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim's account, which causes more devastating and covert losses than merely intercepting the user's password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps' accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords