Cybersecurity Lecture Series - Yanick Fratantonio
Meet academic and industry leaders for intimate discussions about new cyber threats, trends and technologies.
The Cybersecurity Lecture Series is a free, open-to-the-public lecture from a thought leader who is advancing the field of information security and privacy. Invited speakers include executives and researchers from private companies, government agencies, start-up incubators as well as Georgia Tech faculty and students presenting their research.
Held weekly each Friday at Noon through Apr. 21, lectures are open to all -- students, faculty, industry, government, or simply the curious. Graduate students may register for credit under seminar course CS-8001-INF.
Complimentary lunch provided for registered guests. Please bring your own beverage.
Featuring Yanick Fratantonio on Apr. 7, 2017
"Cloak & Dagger: From Two Android Permissions to Complete Control of the UI Feedback Loop"
ABSTRACT | Although the two Android permissions -- SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE -- have been separately abused to create redressing attacks and accessibility attacks, these previous cyberattacks never could completely control the user interface (UI) feedback loop. (They either relied on vanishing side-channels to time the appearance of overlay UI, could not respond properly to user input, or made the attacks literally visible.)
In this work, we demonstrate how combining the capabilities of these permissions can create a devastating and stealthy new cyberattack on Android devices that grants the adversary complete control of the UI feedback loop. In particular, we demonstrate how an app with the above permissions can launch a variety of powerful attacks -- ranging from stealing user’s login credentials and security PIN, to the silent installation of a God-like app with all permissions enabled. To make things even worse, we found that the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and, even though the BIND_ACCESSIBILITY_SERVICE is not automatically granted, our experiment shows that it is very easy to lure users to unknowingly grant that permission. As such, a user may never notice that a malicious app installed on his/her device is using these two permissions, and thus never suspects the app of carrying out the Cloak & Dagger attack. We also found that it is simple and straightforward to get a proof-of-concept app that allows both permissions into the official Android store.
We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We conclude with a number of observations and best-practices that can help Google app developers to better secure the Android graphical user interface.
BIO | Yanick Fratantonio is a Ph.D. candidate in Computer Science at the University of California, Santa Barbara, who plans to join EURECOM as an Assistant Professor upon graduation. His research focuses on mobile systems security and privacy. His research interest is to keep users of mobile devices safe, and his work spans different areas of mobile security, such as malware detection, vulnerability analysis, characterization of emerging threats, and the development of novel practical protection mechanisms. In his free time, he enjoys playing and organizing capture-the-flag competitions with the Shellphish hacking team at UCSB.
The work to be presented started as Fratantonio’s summer project when he interned with the Institute for Information Security & Privacy at Georgia Tech in Summer 2016. The subsequent paper detailing this work has been accepted by, and will be presented at, the IEEE Symposium on Security & Privacy in May 2017.
Tara La Bouff