VirtualSwindle: An automated attack against in-app billing on Android

ASIA CCS 2014 - Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security

Volumn , Issue , 2014, Pages 459-470

  Mulliner, Collin ^a   Robertson, William ^a   Kirda, Engin ^a  

^a NORTHEASTERN UNIVERSITY   (United States)

Author keywords

App protection; Mobile application; Payment; Smartphone security

Indexed keywords

AUTOMATION;

AUTOMATED ATTACKS; FINANCIAL TRANSACTIONS; FULLY AUTOMATED; MOBILE APPLICATIONS; PAYMENT; ROBUSTNESS STUDIES; SMARTPHONE SECURITIES; VIRTUAL GOODS;

ANDROID (OPERATING SYSTEM);

EID: 84984907980     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2590296.2590335     Document Type: Conference Paper

References (26)

1. Apktool Developers. android-apktool - A tool for reverse engineering Android apk files. http://code:google:com/p/android-apktool/, November 2012.
2. Bethea, D., Cochran, R. A., and Reiter, M. K. Server-side verification of client behavior in online games. In 17th ISOC Network and Distributed System Security Symposium (NDSS) (2010).
3. Bursztein, E., Hamburg, M., Lagarenne, J., and Boneh, D. OpenConflict: Preventing Real Time Map Hacks in Online Games. In IEEE Symposium on Security and Privacy (May 2011).
4. Chainfire. SuperSU. https://play:google:com/store/apps/details?id=eu:chainfire:supersu&hl=en, November 2012.
5. Clowes, S. injectso - Modifying and Spying on running processes under Linux and Solaris. http://www:blackhat:com/presentations/bh-europe-01/shaun-clowes/bh-europe-01-clowes:ppt, 2001.
6. CLShortFuse. SuperOneClick. http://forum:xda-developers:com/showthread:php?t=803682, November 2012.
7. CyanogenMod Developers. CyanogenMod. http://www:cyanogenmod:org/, November 2012.
8. Davis, B., Sanders, B., Khodaverdian, A., and Chen, H. I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications. In Workshop on Mobile Security Technologies (MoST) (May 2012).
9. Egele, M., Kruegel, C., Kirda, E., and Vigna, G. PiOS: Detecting Privacy Leaks in iOS Applications. In Network and Distirbuted Systems Security Symposium (NDSS) (2 2011).
10. Enck, W., Gilbert, P., Chun, B., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Symposium on Operating Systems Design and Implementation (OSDI) (2010).
11. Freeman, J. Cydia Substrate for Android. http://www:cydiasubstrate:com/.
12. Google. In-app Billing. http://developer:android:com/guide/google/play/billing/, November 2012.
13. Google. In-app Billing Security and Design. http://developer:android:com/guide/google/play/billing/billing-best-practices:html, November 2012.
14. HTC. Unlock Bootloader. http://htcdev:com/bootloader/, November 2012.
15. Mitterhofer, S., Platzer, C., Kirda, E., and Kruegel, C. Server-side Bot Detection in Massively Multiplayer Online Games. IEEE Security and Privacy Magazine (5 2009).
16. Oracle. The Reflection API. http://docs:oracle:com/javase/tutorial/reflect/index:html, November 2012.
17. Petroni Jr, N., Fraser, T., Walters, A., and Arbaugh, W. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security Symposium (2006).
18. Reynaud, D., Song, D., Tom Magrino, E. W., and Shin, R. POSTER: FreeMarket: Shopping for free in Android applications. In ISOC Network and Distributed System Security Symposium (NDSS) (February 2012).
19. Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., and Khosla, P. Verifying code integrity and enforcing untampered code execution on legacy systems. In ACM Symposium on Operating System Principles (SOSP) (2005).
20. Spalka, A., Cremers, A., and Langweg, H. Trojan Horse Attacks on Software for Electronic Signatures. In Informatica (2002).
21. T. Stracener and E. A. Smith and S. Barnum. So Many Ways to Slap a Yo-Ho: Hacking Facebook and YoVille. http://www:defcon:org/images/defcon-18/dc-18-presentations/Stracener-Smith-Barnum/DEFCON-18-Stracener-Smith-Barnum-So-Many-Ways:pdf, August 2010.
22. Vollmer, R. Xposed. http://repo:xposed:info/.
23. Watson, R. N. M. TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In USENIX Annual Technical Conference, FREENIX Track (2001), pp. 15-28.
24. Xu, R., Saidi, H., and Anderson, R. Aurasium: Practical Policy Enforcement for Android Applications. In USENIX Security Symposium (August 2012).
25. Yan, L. K., and Yin, H. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security Symposium (August 2012).
26. ZonD80. Getting started to receive your in-app for free on iOS. http://system:in-appstore:com/, Ocrober 2012.