GUI-Squatting Attack: Automated Generation

4 Abstract—Mobile phishing attacks, such as mimic mobile browser pages, masquerade as legitimate applications by leveraging 5 repackaging or clone techniques, have caused varied yet significant security concerns. Consequently, detection techniques have been 6 receiving increasing attention. However, many such detection methods are not well tested and may therefore still be vulnerable to new 7 types of phishing attacks. In this article, we propose a new attacking technique, named GUI-Squatting attack, which can generate 8 phishing apps (phapps) automatically and effectively on the Android platform. Our method adopts image processing and deep learning 9 algorithms, to enable powerful and large-scale attacks. We observe that a successful phishing attack requires two conditions, page 10 confusion and logic deception during attacks synthesis. We directly optimize these two conditions to create a practical attack. Our 11 experimental results reveal that existing phishing defenses are less effective against such emergent attacks and may, therefore, 12 stimulate more efficient detection techniques. To further demonstrate that our generated phapps can not only bypass existing 13 detection techniques, but also deceive real users, we conduct a human study and successfully steal users’ login information. The 14 human study also shows that different response messages (e.g., “Crash” and “Server failed”) after pressing the login button mislead 15 users to regard our phapps as functionality problems instead of security threats. Extensive experiments reveal that such newly 16 proposed attacks still remain mostly undetected, and are worth further exploration.

[1]  Ming-Kuei Hu,et al.  Visual pattern recognition by moment invariants , 1962, IRE Trans. Inf. Theory.

[2]  M. Lévesque Perception , 1986, The Yale Journal of Biology and Medicine.

[3]  P. L. DaviesFebruary THE ONE-WAY ANALYSIS OF VARIANCE , 1997 .

[4]  Xiaotie Deng,et al.  An antiphishing strategy based on visual similarity assessment , 2006, IEEE Internet Computing.

[5]  Christopher Krügel,et al.  A layout-similarity-based approach for detecting phishing pages , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[6]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[7]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[8]  Lynda L. McGhie,et al.  World Wide Web , 2011, Encyclopedia of Information Assurance.

[9]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[10]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[11]  Jun Zhang,et al.  Network Traffic Classification Using Correlation Information , 2013, IEEE Transactions on Parallel and Distributed Systems.

[12]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[13]  Longfei Wu,et al.  MobiFish: A lightweight anti-phishing scheme for mobile phones , 2014, 2014 23rd International Conference on Computer Communication and Networks (ICCCN).

[14]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[15]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Wanlei Zhou,et al.  A Sword with Two Edges: Propagation Studies on Both Positive and Negative Information in Online Social Networks , 2015, IEEE Transactions on Computers.

[17]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[18]  Jie Wu,et al.  Effective Defense Schemes for Phishing Attacks on Mobile Computing Platforms , 2016, IEEE Transactions on Vehicular Technology.

[19]  Claudio Soriente,et al.  Evaluation of Personalized Security Indicators as an Anti-Phishing Mechanism for Smartphone Applications , 2016, CHI.

[20]  Claudio Soriente,et al.  Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking , 2016, SPSM@CCS.

[21]  Grant Ho,et al.  Detecting Credential Spearphishing Attacks in Enterprise Settings , 2017 .

[22]  Sencun Zhu,et al.  WindowGuard: Systematic Protection of GUI Security in Android , 2017, NDSS.

[23]  Vern Paxson,et al.  Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[24]  Bo Li,et al.  Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach , 2017, Comput. Secur..

[25]  AUSERA: Large-Scale Automated Security Risk Assessment of Global Mobile Banking Apps , 2018, ArXiv.

[26]  Ankit Kumar Jain,et al.  Mobile phishing attacks and defence mechanisms: State of art and open research challenges , 2017, Comput. Secur..

[27]  Tony Beltramelli,et al.  pix2code: Generating Code from a Graphical User Interface Screenshot , 2017, EICS.

[28]  Wanlei Zhou,et al.  Twitter spam detection: Survey of new approaches and comparative study , 2017, Comput. Secur..

[29]  Jian Liu,et al.  Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild , 2018, SecureComm.

[30]  Lingling Fan,et al.  StoryDroid: Automated Generation of Storyboard for Android Apps , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[31]  Paul Rimba,et al.  Data-Driven Cybersecurity Incident Prediction: A Survey , 2019, IEEE Communications Surveys & Tutorials.

[32]  Lei Ma,et al.  MobiDroid: A Performance-Sensitive Malware Detection System on Mobile Platform , 2019, 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS).

[33]  K. Vijayakumar,et al.  Network Traffic Classification Using Correlation Information , 2022 .