Abusing notification services on smartphones for phishing and spamming

Zhi Xu, Sencun Zhu

Research output: Contribution to conferencePaperpeer-review

Abstract

Notification service is a popular functionality provided by almost all modern smartphone platforms. To facilitate customization for developers, many smartphone platforms support highly customizable notifications, which allow the third party applications to specify the trigger events, the notification views to be displayed, and the allowed user operations on the notification views. In this paper, we show that notification customization may allow an installed trojan application to launch phishing attacks or anonymously post spam notifications. Through our studies on four major smartphone platforms, we show that both Android and BlackBerry OS are vulnerable under the phishing and spam notification attacks. iOS and Windows Phone allow little notification customization, thus launching the phishing and spam attacks will expose the identity of the trojan application. Attack demonstrations on all platforms are presented. To prevent the phishing and spam notification attacks while still allowing notification customization, we propose a Semi-OS-Controlled notification view design principle and a Notification Logging service. Moreover, to protect applications from fraudulent views, we propose a view authentication framework, named SecureView, which enables the third party applications to add the authentication image and text to their sensitive views (e.g. the account login view). The implementation and demonstrations of proposed defense approaches on Android are also presented in the paper.

Original languageEnglish (US)
StatePublished - Jan 1 2012
Event6th USENIX Workshop on Offensive Technologies, WOOT 2012 - Bellvue, United States
Duration: Aug 6 2012Aug 7 2012

Conference

Conference6th USENIX Workshop on Offensive Technologies, WOOT 2012
Country/TerritoryUnited States
CityBellvue
Period8/6/128/7/12

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Information Systems
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Abusing notification services on smartphones for phishing and spamming'. Together they form a unique fingerprint.

Cite this