Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews


As a critical feature for enhancing user experience, cross-app URL invocation has been reported to cause unauthorized execution of app components. Although protection has already been put in place, little has been done to understand the security risks of navigating an app’s WebView through an URL, a legitimate need for displaying the app’s UI during cross-app interactions. In our research, we found that the current design of such cross-WebView navigation actually opens the door to a cross-app remote infection, allowing a remote adversary to spread malicious web content across di erent apps’ WebView instances and acquire stealthy and persistent control of these apps. This new threat, dubbed Cross-App WebView Infection (XAWI), enables a series of multi-app, colluding attacks never thought before, with signi cant real world impacts. Particularly, we found that the remote adversary can collectively utilize multiple infected apps’ individual capabilities to escalate his privileges on a mobile device or orchestrate a highly realistic remote Phishing attack (e.g., running a malicious script in Chrome to stealthily change Twitter’s WebView to fake Twitter’s own login UI). We show that the adversary can easily nd such attack “building blocks” (popular apps whose WebViews can be redirected by another app) through an automatic fuzz, and discovered about 7.4% of the most popular apps subject to the XAWI attacks, including Facebook, Twitter, Amazon and others. Our study reveals the contention between the demand for convenient cross-WebView communication and the need for security control on the channel, and makes the rst step toward building OS-level protection to safeguard this fast-growing technology.

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security