DroidPill: Pwn Your Daily-Use Apps

Abstract

Nowadays, attacking and defending Android apps has be- come an arms race between black hats and white hats. In this paper, we explore a new hacking technique called the App Confusion Attack, which allows hackers to take full control of benign apps and their resources without device root- ing or privilege escalation. Conceptually, an App Confusion Attack hijacks the launching process of each benign app, and forces it to run in a virtual execution context controlled by hackers, instead of the native one provided by the Android Application Framework. This attack is furtive but lethal. When a user clicks on a benign app, the malicious alternative can be loaded and executed with an indistinguishable user interface. As a result, hackers can manipulate the communication between the benign app and the OS, including kernel and system services, and manipulate the code and data at will. To address this issue, we build DroidPill, a framework for malware creation that employs the app virtualization technique and the design flaws in Android to achieve such attacks with free apps. Our evaluation results and case studies show that DroidPill is practical and effective. Lastly, we conclude this work with several possible countermeasures to the App Confusion Attack.