Phishing on smartphones

Date: May 18, 2011

Building phishing attacks is easier for smartphones than for computers.

  • There’s no visual way of knowing what app is currently running, in either iOS or Android.  There’s no task bar or anything analogous.
  • In mobile browsers, web sites can make the browser URL bar disappear.
  • In Android, a web site can make all of the browser chrome disappear.  This means you can make a web site that looks like it’s an app.
I talk about this topic in my W2SP paper.
Here are some screenshots of phishing attacks I built.

 
(1)  On the left is the real Amazon MP3 Store Android app.  On the right is a phishing website I made: it runs in the Android web browser but look and acts like the real app.
 

Below the jump are two more phishing attacks.

(2) On the left is the real Facebook Android app.  On the right is my fake Facebook Android app.  My attack app intercept calls to the real app and pops open.  After the user enters a password it will close and send the user to the real Facebook app.

 

(3) On the left is the real Android web browser.  On the right is my fake browser that pretends to be the default Android web browser.  They’re both showing the same legitimate website, but the fake browser will record all of the user’s keystrokes.

 

This entry was posted in Mobile security, Usability, Web security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>