Activity hijacking attack,one type of attack on Android interface,steal user's information by hijacking the original activity interface that users use.In this paper,the effectiveness of activity hijacking attack was experimentally tested on several versions of Android systems and four necessary characteristics with the malicious behavior of activity hijacking were described.A novel static detection method called AHDetecor (activity hijacking detector) was proposed to detect the activity hijacking behavior based on its code features and multiple data flows.AHDetecor determines whether the test app is undergoing an activity hijacking attack based on the following four conditions:1)whether the test app has the permission to send out the data by analyzing the manifest configuration file;2)whether the test app simultaneously has three components:scanning,hijacking and privacy leakage according to its code features;3)whether the test app has the invoking relationship between the components of scanning and user's input;4)whether the test app has the data flows between the hijacking component and the privacy leaking component.If none of these conditions is satisfied,the detection is terminated and the test app is judged as no activity hijacking behavior.In order to evaluate the effectiveness of AHDetector,eighteen malicious Android apps were designed and implemented to cover all the activity hijacking attack logical paths while other four Android app lockers were adopted to check the false positive judgements.The test results showed that AHDetector can effectively detect malicious apps with activity hijacking attack behavior without any false positive judgement.On the other hand six popular online detection systems (Andrubis,VirusTotal,visualThreat,Security Housekeeper,Tencent Security and Netqin Security)cannot detect 18 malicious Android apps with activity hijacking attacks.%Android界面劫持是一种通过劫持用户使用过程中的界面输入流窃取用户隐私信息的攻击方式.本文首先通过实验验证了该攻击在安卓多个版本上的有效性,继而分析了包含界面劫持攻击的恶意应用的4个必备特征,提出了一种基于代码特征以及多组件数据流跟踪的静态检测方法AHDetector(activity hijacking detector).AHDetector方法包括4个步骤:通过分析manifest配置文件,判断被检测应用是否申请了外传数据的敏感权限;根据代码特征判断被检测应用中是否同时存在界面劫持攻击必备的3种功能组件:后台扫描组件,劫持界面组件以及隐私外传组件;通过分析组件间的调用关系,判断应用中具有扫描功能的组件与接受界面输入的组件之间是否存在调用关系;通过组件间数据流分析,确定劫持界面组件和隐私外传组件之间是否存在隐私数据的传递.继而判定被检测应用是否包含界面劫持攻击.为了验证AHDetector的检测效果,本文设计实现了覆盖界面劫持功能组件所有逻辑路径的18个样例来测试方法的有效性,同时采用了4个应用锁样例来检测误判性.测试结果表明,AHDetector能够有效的检测出应用中所有的界面劫持攻击行为,同时不会误判,而6个常见的恶意应用在线检测平台(Andrubis、VirusTotal、visualThreat、安全管家在线检测、腾讯安全实验室在线检测、网秦安全)则不能检测出界面劫持攻击行为.
展开▼
