Publication

This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data Exfiltration

Michalis Diamantaris , Serafeim Moustakas , Lichao Sun , Sotiris Ioannidis , Jason Polakis .

♦ FORTH | ♣ Lehigh University | ♠ Technical University of Crete | ♥ University of Illinois at Chicago

In Proceedings of the ACM Conference on Computer and Communications Security (CCS), November 2021, Virtual. [Paper]

Abstract

Mobile sensors have transformed how users interact with modern smartphones and enhance their overall experience. However, the absence of sufficient access control for protecting these sensors enables a plethora of threats. As prior work has shown, malicious apps and sites can deploy a wide range of attacks that use data captured from sensors. Unfortunately, as we demonstrate, in the modern app ecosystem where most apps fetch and render third-party web content, attackers can use ads for delivering attacks.

In this paper, we introduce a novel attack vector that misuses the advertising ecosystem for delivering sophisticated and stealthy attacks that leverage mobile sensors. These attacks do not depend on any special app permissions or specific user actions, and affect all Android apps that contain in-app advertisements due to the improper access control of sensor data in WebView. We outline how motion sensor data can be used to infer users' sensitive touch input (e.g., credit card information) in two distinct attack scenarios, namely intra-app and inter-app data exfiltration. While the former targets the app displaying the ad, the latter affects every other Android app running on the device. To make matters worse, we have uncovered serious flaws in Android's app isolation, life cycle management, and access control mechanisms that enable persistent data exfiltration even after the app showing the ad is moved to the background or terminated by the user. Furthermore, as in-app ads can "piggyback" on the permissions intended for the app's core functionality, they can also obtain information from protected sensors such as the camera, microphone and GPS. To provide a comprehensive assessment of this emerging threat, we conduct a large-scale, end-to-end, dynamic analysis of ads shown in apps available in the official Android Play Store. Our study reveals that ads in the wild are already accessing and leaking data obtained from motion sensors, thus highlighting the need for stricter access control policies and isolation mechanisms.

BibTex

@inproceedings{10.1145/3460120.3485366,
author = {Diamantaris, Michalis and Moustakas, Serafeim and Sun, Lichao and Ioannidis, Sotiris and Polakis, Jason},
title = {This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data Exfiltration},
year = {2021},
isbn = {9781450384544},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3460120.3485366},
doi = {10.1145/3460120.3485366},
booktitle = {Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
keywords = {mobile html5, android in-app ads, webview, sensor attacks},
location = {Virtual Event, Republic of Korea},
series = {CCS '21}
}

Tools

The system for analyzing in-app ads is available here.

The input inference classifier is available here.

Contact

In case you have questions about this project, contact Michalis Diamantaris.