Arzt, Steven ; Huber, Stephan ; Rasthofer, Siegfried ; Bodden, Eric (2014)
Denial-of-App Attack: Inhibiting the Installation of Android Apps on Stock Phones.
4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. Scottsdale
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
We describe a novel class of attacks called denial-of-app that allows adversaries to inhibit the future installation of attacker-selected applications on mobile phones. Adversaries can use such attacks to entrap users into installing attacker-preferred applications, for instance to generate additional revenue from advertisements on a competitive app market or to increase the rate of malware installation. Another possibility is to block anti-virus applications or security workarounds to complicate malware detection and removal.
We demonstrate such an attack that works on arbitrary unmodified stock Android phones. It is even possible to block many applications from a list predefined by the attacker instead of just a single app. Even more, we propose an attack for banning applications from Google Play Store regardless of the user's phone by exploiting similar vulnerabilities in the market's app vetting process. Unblocking an application blocked by our attack requires either root privileges or a complete device reset. The Android security team has confirmed and fixed the vulnerability in Android 4.4.3 (bug 13416059) and has given consent to this publication within a responsible-disclosure process. To the best of our knowledge, the attack applies to all versions prior to Android 4.4.3.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2014 |
| Autor(en): | Arzt, Steven ; Huber, Stephan ; Rasthofer, Siegfried ; Bodden, Eric |
| Art des Eintrags: | Bibliographie |
| Titel: | Denial-of-App Attack: Inhibiting the Installation of Android Apps on Stock Phones |
| Sprache: | Englisch |
| Publikationsjahr: | 2014 |
| Reihe: | Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices |
| Veranstaltungstitel: | 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices |
| Veranstaltungsort: | Scottsdale |
| Kurzbeschreibung (Abstract): | We describe a novel class of attacks called denial-of-app that allows adversaries to inhibit the future installation of attacker-selected applications on mobile phones. Adversaries can use such attacks to entrap users into installing attacker-preferred applications, for instance to generate additional revenue from advertisements on a competitive app market or to increase the rate of malware installation. Another possibility is to block anti-virus applications or security workarounds to complicate malware detection and removal. We demonstrate such an attack that works on arbitrary unmodified stock Android phones. It is even possible to block many applications from a list predefined by the attacker instead of just a single app. Even more, we propose an attack for banning applications from Google Play Store regardless of the user's phone by exploiting similar vulnerabilities in the market's app vetting process. Unblocking an application blocked by our attack requires either root privileges or a complete device reset. The Android security team has confirmed and fixed the vulnerability in Android 4.4.3 (bug 13416059) and has given consent to this publication within a responsible-disclosure process. To the best of our knowledge, the attack applies to all versions prior to Android 4.4.3. |
| Fachbereich(e)/-gebiet(e): | LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt 20 Fachbereich Informatik > EC SPRIDE 20 Fachbereich Informatik > EC SPRIDE > Secure Software Engineering Zentrale Einrichtungen LOEWE 20 Fachbereich Informatik LOEWE > LOEWE-Zentren |
| Hinterlegungsdatum: | 24 Nov 2014 14:17 |
| Letzte Änderung: | 24 Nov 2014 14:17 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum