Android-based Cryptocurrency Wallets: Attacks and Countermeasures

The security of cryptocurrency wallets is directly related to the security of personal assets. However, due to the design defects of mobile operating system and cryptocurrency wallets, security incidents of cryptocurrency wallets occur frequently, causing irreversible losses to users’ assets or privacy. In this paper, we study the security risks of Android-based cryptocurrency wallets. We establish the adversary model, analyze the attack surface originated from the Android OS, and demonstrate several attack vectors by conducting experiments on multiple popular cryptocurrency wallets in Google Play Store. Finally, we present several security defense strategies in response to the security risks.

[1]  Xiangyu Liu,et al.  No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  Christian Decker,et al.  BlueWallet: The Secure Bitcoin Wallet , 2014, STM.

[3]  Daojing He,et al.  Security Analysis of Cryptocurrency Wallets in Android-Based Applications , 2020, IEEE Network.

[4]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[5]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.

[6]  Ghassan O. Karame,et al.  Evaluating User Privacy in Bitcoin , 2013, Financial Cryptography.

[7]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[8]  Gianluca Dini,et al.  MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention , 2018, IEEE Transactions on Dependable and Secure Computing.

[9]  Girish Bekaroo,et al.  Cam-Wallet: Fingerprint-based authentication in M-wallets using embedded cameras , 2017, 2017 IEEE International Conference on Environment and Electrical Engineering and 2017 IEEE Industrial and Commercial Power Systems Europe (EEEIC / I&CPS Europe).

[10]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[11]  Yanick Fratantonio,et al.  Phishing Attacks on Modern Android , 2018, CCS.

[12]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[13]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[14]  Arvind Narayanan,et al.  Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security , 2016, ACNS.

[15]  Narseo Vallina-Rodriguez,et al.  50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System , 2019, USENIX Security Symposium.

[16]  Ashish Rajendra Sai,et al.  Privacy and Security Analysis of Cryptocurrency Mobile Applications , 2019, 2019 Fifth Conference on Mobile and Secure Services (MobiSecServ).

[17]  Sencun Zhu,et al.  Keeping Context In Mind: Automating Mobile App Access Control with User Interface Inspection , 2017, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.