| With the rapid popularization of Android smartphones, the number of devices and software of Android are showing explosive growth. The security issues caused by the malware applications of Android are increasingly serious. As the languages of development of Android diversify, the technology and attack methods of malicious software also has a new trend, which is that the attacks on Hybrid applications are emerging in an endless stream. The continuous deterioration of malicious code are caused by the deficiency of the security machanism of Android and the vulnerabilities of Hybrid technology, which also lead to the malicious code can inject and attack mobile devices easily. So it has a great significance to perfect the security mechanism of Android, avoid the loophole of new technology and make further efforts to protect the interests of users, which is the research on the methods of injection and attack of malicious code of Android.The main work is as follows:Firstly, the security machanism and the access of privacy data of Android are studied, and the vulnerabilities of the access of SMS,Contacts and location are analyzed. After that a system architecture of malicious code is presented, which is based on the remote control of the instructions pushed by the third-party platform. The system achieves the simulation attacks on each privacy-related hole. Then the concrete attack process of the modules in the system is expounded, which include SMS monitoring and sending and the stealing of Contacts and the information of location.Secondly, the interaction mechanism of the WebView and the third-party framework related to Hybrid apps is discussed, and the Cross-site Scripting (XSS) loopholes of Hybrid apps are studied. After that the theory of XSS attacks on Hybrid apps is proposed. On the basic of the theory,the schemes of stealing privacy data from different external channels are presented. Then each attack process is elaborated, including the monitoring and sending of SMS from Wi-Fi, the stealing of Contacts from QR code and the location information from Blue tooth.Finally, with the reverse analysis, Apktool and Keytool, the malicious code of Native apps is injected into the target apps for the testing attack effect, and the malicious code of Hybrid apps is checked with the PhoneGap plugins and QR code generator. Experiment results demonstrate that there are vulnerabilities in the privacy-related functions of Android, and there are XSS vulnerabilities in Hybrid technology and components and frameworks. Also, the malicious code could inject into the target apps and steal privacy data successfully. |
PDF Full Text Request