1 Introduction
2 Related Work
2.1 Android App Building
-
DalVik Executable (DEX) file: The executable file resulting from compilation of the Java source code.
-
Manifest file: A file containing app properties such as privileges, the app package file, and version.
-
eXtensible Markup Language (XML) file: A file in which the user interface (UI) layout and values are defined.
-
Resource file: A file containing resources required for app execution, such as images.
2.2 Android App Distribution
-
Developer registration: Anyone can register as a developer for USD 25. The app developer makes a request for developer registration by sending his/her personal information and credit information to the market. The market will then check the information and approve the registration accordingly.
-
App registration: The developer sends a self-signed app to the market and makes a request for its registration. The market will check that the app is signed and that the package name does not conflict with that of previously registered apps. If there are no problems, the app is registered in the market.
-
App distribution: The registered app is immediately published to users and distributed to them at their request.
-
App installation and signature verification: A check is done to see whether there are any installed apps having the same package name; if this is the case, the developer signature is checked to see whether it is in fact the same app. Depending on the result, the app is installed, or updated, or the installation is cancelled.
2.3 Repackaging Vulnerability
2.4 Repackaging Attack
-
Modification point search: The activity information, UI layout, and app execution flow are gathered and the points at which code is inserted are selected. Logcat [11] can be used to gather activity names and obtain information on activities that are run during app execution. The OnCreate function of the activities can then be decompiled in order to obtain the UI information and XML information used in the UI.
-
Decompilation: After extracting the DEX file in the APK file, a decompilation tool called baksmali [16] is used to generate the smali source code.
-
Code injection and modification: Code containing arbitrary Dalvik VM instructions is inserted at the modification point or the existing code is modified.
-
Manifest change: The package name is changed in the app manifest. When this is done, the app can be registered on the Android Market without conflicting with existing apps.
-
Self-signing: The modified app is self-signed to complete the repackaging.
3 Attack on Android Banking Apps
Symbol | Description |
---|---|
\(A\)
| Attacker’s name |
\(S\)
| Sender’s name |
\(R\)
| Recipient’s name |
\(H(x)\)
| Hash function on message \(x\)
|
\({ver}\)
| APK version |
\({{\textit{APK}}}_{org}\)
| Original APK file |
\({{\textit{APK}}}_{mod}\)
| Modified APK file |
\({{\textit{AC}}}_{A}\)
| Attacker’s account number |
\({{\textit{AC}}}_{R}\)
| Recipient’s account number |
\({\$}\)
| Amount requested to be transferred |
\({\$}{^\prime }\)
| Amount allowed to be transferred after balance checking |
\({{\textit{PWD}}}_{S}\)
| Sender’s account passwords |
\({{\textit{PSC}}}_{S}\)
| Sender’s personal security card information |
\({Sign}_{A}(x)\)
| Signature on message \(x\) using entity \(A\)’s private key |
\({{\textit{ID}}}_{B}\)
| Bank identifier |
3.1 Smartphone Banking Apps
Name | Type | APK version | APK hashing | Anti-virus checking | Obfuscation applied | Encryption applied |
---|---|---|---|---|---|---|
H-bank | Webview | 2.12 | No | Yes | No | Yes |
I-bank | Widget | 1.1.1 | No | Yes | No | Yes |
K-bank | Widget | 1.8 | No | Yes | Yes | Yes |
N-bank | Widget | 1.1 | Yes | Yes | No | Yes |
S-bank | Widget | 2.6.6 | No | Yes | No | Yes |
SC-bank | Webview | 1.5 | No | Yes | No | Yes |
W-bank | Widget | 3.0.5 | No | Yes | No | Yes |