Scan-and-Pay on Android is Dangerous

Mobile payments have increased significantly in the recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. These applications usually support scan-and-pay—a technique that allows a payer to easily scan the destination address of the payment directly from the payee’s smartphone screen. This technique is pervasive because it does not require any particular hardware, only the camera, which is present on all modern smartphones. However, in this work we show that a malicious application can exploit the overlay feature on Android to compromise the integrity of transactions that make use of the scan-and-pay technique. We implement Malview, a proof-of-concept malicious application that runs in the background on the payee’s smartphone and show that it succeeds in redirecting payments to a malicious wallet. We analyze the weaknesses of the current defense mechanisms and discuss possible countermeasures against the attack.

[1]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[2]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.

[3]  Hossain Shahriar,et al.  Security assessment of clickjacking risks in web applications: metrics based approach , 2015, SAC.

[4]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[5]  Mohamed Shehab,et al.  Maintaining User Interface Integrity on Android , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[6]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[7]  Jörg Schwenk,et al.  UI Redressing Attacks on Android Devices , 2012 .

[8]  Dawn Xiaodong Song,et al.  Clickjacking Revisited: A Perceptual View of UI Security , 2014, WOOT.

[9]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[10]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[11]  Yanick Fratantonio,et al.  Phishing Attacks on Modern Android , 2018, CCS.

[12]  Srdjan Capkun,et al.  Using hover to compromise the confidentiality of user input on Android , 2017, WISEC.

[13]  Atul Prakash,et al.  Android UI Deception Revisited: Attacks and Defenses , 2016, Financial Cryptography.

[14]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[15]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[16]  Yanick Fratantonio,et al.  ClickShield: Are You Hiding Something? Towards Eradicating Clickjacking on Android , 2018, CCS.

[17]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Ghassan O. Karame,et al.  Double-spending fast payments in bitcoin , 2012, CCS.

[19]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[20]  Sencun Zhu,et al.  WindowGuard: Systematic Protection of GUI Security in Android , 2017, NDSS.

[21]  Sencun Zhu,et al.  A Framework for Evaluating Mobile App Repackaging Detection Algorithms , 2013, TRUST.

[22]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).