artificial immune systems based approach to detect botnet spam-
ming programs on Android phones. We also observed advertising
Android apps, such as AirPush [26], which utilize the status bar
notification to post third party advertisements on Android smart-
phones. Different from existing advertising apps that actively ex-
poses their identity, our proposed trojan application hides its iden-
tity in the proposed spam notification attacks. Moreover, we show
the feasibility of distribution spam notifications not only via status
bar notification but also the toast notification service.
6.2 Phishing Attacks on Smartphone
Niu et al. [4] also studied the design flaws of mobile browsers
that may allow web based phishing attacks. They pointed out that
many featured functions of mobile browsers, such as URL trunca-
tion and hiding URL bar on page load, may cause the difficulties
for user to sense the phishing webpage.
Besides Email and Browser, attempts of phishing attacks with
fake applications have also been discovered. In the 09Droid case,
a programmer named “09Droid” published several fake banking
applications on Google’s Android Market trying to steal the user’s
account login information.
Also, Felt and Wagner [5] studied the feasibility of navigating
the user to a fraudulent login view or login webpage by abusing the
control transfer function provided on Android and iOS. One con-
cern in their approach is the identity of trojan application is easy to
reveal. For example, if the user is interacting with a malicious ap-
plication before the transfer, the identity of this mobile application
is known to the user. In our proposed phishing attacks, identify the
trojan application will be much difficult for the smartphone user.
Recently, Schulte and Percoco [27] presented a trojan based phish-
ing attacks on Android, which claims to be able to exploit a design
flaw of Android platform so as to lead the user to a fraudulent Face-
book login view controlled by an installed trojan app. Google ar-
gued that such attacks are impractical [27] . Compared to the pro-
posed view-based phishing attacks, the notification-based phishing
attacks we proposed are more practical and easier to implement.
Further, demonstrations of proposed phishing notification attacks
on Android are presented as well.
7. CONCLUSIONS
In this paper, we study the feasibility of launching phishing and
spam attacks with an installed trojan application by abusing the
customizable notification service. Experimental results and attack
demonstrations are presented on four major smartphone platforms.
Further, we present approaches for stealthy spam content distribu-
tion that can help the trojan applications bypass the application re-
view process in application stores. To defend the proposed attacks,
we suggest a Semi-OS-Controlled design principle for notification
view, a SecureView framework for general view authentication, and
a notification logging service for notification review.
8. ACKNOWLEDGMENTS
We thank the reviewers for the valuable comments. This work
was supported in part by NSF CAREER 0643906. The views and
conclusions contained in this document are those of the author(s)
and should not be interpreted as representing the official policies,
either expressed or implied, of NSF or the U.S. Government.
9. REFERENCES
[1] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker,
V. Paxson, and S. Savage, “Spamalytics: An empirical analysis of
spam marketing conversion,” in Proc. of ACM CCS’09, 2009.
[2] R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” in
Proc. of the SIGCHI conference on Human Factors in computing
systems, 2006.
[3] I. Vural and H. S. Venter, “Detecting mobile spam botnets using
artificial immune systems,” in IFIP Int. Conf. Digital Forensics,
2011, pp. 183–192.
[4] Y. Niu, F. Hsu, and H. Chen, “iPhish: Phishing Vulnerabilities on
Consumer Electronics,” in Proc. of UPSEC ’08, 2008.
[5] D. W. Adrienne Felt, “Phishing on mobile devices,” in Proc. of
W2SP’11: WEB 2.0 Security and Privacy, 2011.
[6] M. Boodaei, “Mobile users three times more vulnerable to phishing
attacks,” http://www.trusteer.com/blog/
mobile-users-three-times-more-vulnerable-phishing-attacks.
[7] Wikipedia, “Mobile phone spam,”
http://en.wikipedia.org/wiki/Mobile_phone_spam.
[8] S. Schroeder, “2 of every 3 smartphones sold are android or ios,”
http://mashable.com/2011/10/06/
2-of-every-3-smartphones-sold-are-android-or-ios-report/.
[9] M. Jakobsson, E. Shi, P. Golle, and R. Chow, “Implicit authentication
for mobile devices,” in Proc. of HotSec Workshop ’09, 2009.
[10] G. Wright, “Facebook plist mobile security hole allows identity
theft,” http://garethwright.com/blog/
facebook-mobile-security-hole-allows-identity-theft, 4 2012.
[11] S. Perez, “A new reason to jailbreak: Custom widgets in
ios 5’s notifications center,” http://developersarena.com/web/2011/06/
a-new-reason-to-jailbreak-custom-widgets-in-ios-5s-notifications-center/.
[12] Android, “The android open source project,”
http://source.android.com/.
[13] G. Inc., “Gartner says worldwide mobile advertising revenue forecast
to reach 3.3 billion in 2011,”
http://www.gartner.com/it/page.jsp?id=1726614.
[14] Apple Inc., “App store review guidelines,”
https://developer.apple.com/appstore/guidelines.html.
[15] Krebsonsecurity, “How much is that phished paypal account?”
http://krebsonsecurity.com/2011/10/
how-much-is-that-phished-paypal-account/.
[16] W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged
smartphone applications in third-party android marketplaces,” in
Proc. of CODASPY’12, 2011.
[17] WeiPhone, “Weiphone forum,” bbs.weiphone.com.
[18] J. Freeman, “Cydia,” http://cydia.saurik.com/.
[19] J. Herrman, “ios 4 jailbroken within a day of first release,”
http://gizmodo.com/5558277/
ios-4-jailbroken-within-a-day-of-first-release.
[20] E. Fish, “ios 5 jailbreak is already here; geeks not surprised,”
http://www.pcworld.com/article/241877/ios_5_jailbreak_is_already_
here_geeks_not_surprised.html.
[21] WillFour20, “An example of a custom notification centre widget on
ios 5,” https://github.com/WillFour20/WeeAppTest.
[22] ATT, “Block spam text messages on your wireless phone,”
http://www.att.com/esupport/article.jsp?sid=KB115812&cv=820\
#fbid=VLIsitNsUpI.
[23] D. Mate, “Anti sms spam & private box for android,”
https://play.google.com/store/apps/details?id=org.baole.app.
antismsspam&hl=en.
[24] “iblacklist for iphone,” http://www.iblacklist.com.br/.
[25] G. V. Cormack, J. M. G. Hidalgo, and E. P. Sánz, “Feature
engineering for mobile (sms) spam filtering,” in Proc. of ACM SIGIR
conference on Research and development in information retrieval,
ser. SIGIR ’07. New York, NY, USA: ACM, 2007, pp. 871–872.
[26] airpush, “The android ad netowrk,” http://www.airpush.com/.
[27] E. Mills, “Android could allow mobile ad or phishing pop-ups,”
http://news.cnet.com/8301-27080_3-20089123-245/
android-could-allow-mobile-ad-or-phishing-pop-ups/, August 2011.
[28] G. Developers, “Android cloud to device messaging framework,”
http://code.google.com/android/c2dm/index.html.
[29] B. Developer, “Blackberry push service options,”
http://us.blackberry.com/developers/platform/pushapi.jsp.
[30] A. Inc., “Apple push notification service,” http://developer.apple.
com/library/mac/documentation/NetworkingInternet/Conceptual/
RemoteNotificationsPG/ApplePushService/ApplePushService.html.
[31] Microsoft, “Push notifications overview for windows phone,”
http://msdn.microsoft.com/en-us/library/ff402558(v=vs.92).aspx.
10