Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices

Android system attackers have proposed various attack schemes to invade users’ privacy. One way is to use ADB (Android Debug Bridge) with advanced permissions but low protection. In order to set up an ADB connection successfully, the USB debugging option of the target device must be turned on. However, the existing ADB-based attack schemes have not proposed how to enable the USB debugging, so it couldn’t be considered that their attack chain is completable. This paper presents an approach for attacking Android devices by exploiting JavaScript to enable USB debugging automatically in the device’s system settings, which fills in the gaps of existing solutions. This method can bypass the security mechanism of USB debugging mode and obtain an ADB connection without the user’s authorization. It can also bypass the alerts that ADB Action Monitor displays when sensitive behaviors are detected. Based on AccessibilityService, Auto.js and Scrcpy, an application called Salaxy is designed and implemented to demonstrate the effectiveness of this method. Besides, Salaxy can monitor and manipulate Android devices remotely.

[1]  Josep Jorba,et al.  Remote Control of Mobile Devices in Android Platform , 2013, ArXiv.

[2]  Jinqiao Shi,et al.  Toward a Comprehensive Insight Into the Eclipse Attacks of Tor Hidden Services , 2019, IEEE Internet of Things Journal.

[3]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[4]  Wojciech Mazurczyk,et al.  (In)Secure Android Debugging: Security analysis and lessons learned , 2019, Comput. Secur..

[5]  João Paulo Barros,et al.  Exploring USB Connection Vulnerabilities on Android Devices - Breaches using the Android Debug Bridge , 2017, SECRYPT.

[6]  Li Yang,et al.  Malicious Behavior Analysis of Android GUI Based on ADB , 2017, 22017 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC).

[7]  Mohsen Guizani,et al.  An effective key management scheme for heterogeneous sensor networks , 2007, Ad Hoc Networks.

[8]  Mohsen Guizani,et al.  Evaluating Reputation Management Schemes of Internet of Vehicles Based on Evolutionary Game Theory , 2019, IEEE Transactions on Vehicular Technology.

[9]  Weizhi Meng,et al.  Charging Me and I Know Your Secrets!: Towards Juice Filming Attacks on Smartphones , 2015, CPSS@ASIACSS.

[10]  Shen Su,et al.  Block-DEF: A secure digital evidence framework using blockchain , 2019, Inf. Sci..

[11]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[12]  Shen Su,et al.  Real-Time Lateral Movement Detection Based on Evidence Reasoning Network for Edge Computing Environment , 2019, IEEE Transactions on Industrial Informatics.

[13]  Xiaojiang Du,et al.  Security in wireless sensor networks , 2008, IEEE Wireless Communications.

[14]  Amir Rahmati,et al.  ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem , 2018, USENIX Security Symposium.

[15]  Xiaojiang Du,et al.  A Distributed Deep Learning System for Web Attack Detection on Edge Devices , 2020, IEEE Transactions on Industrial Informatics.

[16]  Mohsen Guizani,et al.  A data-driven method for future Internet route decision modeling , 2019, Future Gener. Comput. Syst..

[17]  Sungjae Hwang,et al.  Bittersweet ADB: Attacks and Defenses , 2015, AsiaCCS.

[18]  Deepak Kumar,et al.  SoK: “Plug & Pray” Today – Understanding USB Insecurity in Versions 1 through C , 2017 .

[19]  Mansoor Alam,et al.  Security enhancement of secure USB debugging in Android system , 2015, 2015 12th Annual IEEE Consumer Communications and Networking Conference (CCNC).

[20]  Dongwen Zhang,et al.  Nei-TTE: Intelligent Traffic Time Estimation Based on Fine-Grained Time Derivation of Road Segments for Smart City , 2020, IEEE Transactions on Industrial Informatics.

[21]  Xiaojiang Du,et al.  A survey of key management schemes in wireless sensor networks , 2007, Comput. Commun..

[22]  Mohsen Guizani,et al.  Vcash: A Novel Reputation Framework for Identifying Denial of Traffic Service in Internet of Connected Vehicles , 2019, IEEE Internet of Things Journal.

[23]  Xiaojiang Du,et al.  Internet Protocol Television (IPTV): The Killer Application for the Next-Generation Internet , 2007, IEEE Communications Magazine.