Hit by the Bus: QoS Degradation Attack on Android

Mobile apps need optimal performance and responsiveness to rise amongst numerous rivals on the market. Further, some apps like media streaming or gaming apps cannot even function properly with a performance below a certain threshold. In this work, we present the first performance degradation attack on Android OS that can target rival apps using a combination of logical channel leakages and low-level architectural bottlenecks in the underlying hardware. To show the viability of the attack, we design a proof-of-concept app and test it on various mobile platforms. The attack runs covertly and brings the target to the level of unresponsiveness. With less than 10% CPU time in the worst case, it requires minimal computational effort to run as a background service, and requires only the UsageStats permission from the user. We quantify the impact of our attack using 11 popular benchmark apps, running 44 different tests.} The measured QoS degradation varies across platforms and applications, reaching a maximum of 90\% in some cases. The attack combines the leakage from logical channels with low-level architectural bottlenecks to design a malicious app that can covertly degrade Quality of Service (QoS) of any targeted app. Furthermore, our attack code has a small footprint and is not detected by the Android system as malicious. Finally, our app can pass the Google Play Store malware scanner, Google Bouncer, as well as the top malware scanners in the Play Store.

[1]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[2]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[3]  Stefan Mangard,et al.  ARMageddon: Last-Level Cache Attacks on Mobile Devices , 2015, ArXiv.

[4]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[5]  Thomas Plos,et al.  On the Applicability of Time-Driven Cache Attacks on Mobile Devices , 2013, NSS.

[6]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[7]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[8]  ARM® Synchronization Primitives , 2009 .

[9]  Andrey Bogdanov,et al.  Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs , 2010, CT-RSA.

[10]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[11]  Kay Römer,et al.  Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud , 2017, NDSS.

[12]  Michael M. Swift,et al.  A Placement Vulnerability Study in Multi-Tenant Public Clouds , 2015, USENIX Security Symposium.

[13]  Vitaly Shmatikov,et al.  Memento: Learning Secrets from Process Footprints , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[15]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[16]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[17]  Thomas Eisenbarth,et al.  Co-location detection on the Cloud , 2016, IACR Cryptol. ePrint Arch..

[18]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[20]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[21]  References , 1971 .

[22]  Gorka Irazoqui Apecechea,et al.  Efficient, adversarial neighbor discovery using logical channels on Microsoft Azure , 2016, ACSAC.

[23]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[25]  Billy Bob Brumley,et al.  Cache Storage Attacks , 2015, CT-RSA.

[26]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[27]  Alec Wolman,et al.  Protecting Data on Smartphones and Tablets from Memory Attacks , 2015, ASPLOS.