Previous [ 1] [ 2] [ 3] [ 4] [ 5] [ 6] [ 7] [ 8] [ 9] [ 10] [ 11] [ 12] [ 13] [ 14] [ 15] [ 16] [ 17] [ 18] [ 19] [ 20] [ 21]


Journal of Information Science and Engineering, Vol. 31 No. 3, pp. 1097-1111 (May 2015)

Bypass Cell-phone-verification Through a Smartphone-based Botnet

Advanced Defense Lab
Department of Computer Science and Information Engineering
National Central University
Taoyuan County, 320 Taiwan

Due to the trend that more and more web services, such as Google, Facebook, and many auction websites, require users to open their new accounts or to login to their accounts through cell-phone-verification, cell-phone-verification has become an important function of cellular phones. However, our research shows that cell-phone-verification is not always reliable. This study proposes a new attack method named MAC-YURI (My ACcount, YoUr ResponsIbility) against cell-phone-verification to show people one possible abuse of smartphones. Through MAC-YURI, an attacker can utilize a compromised smartphone as a steppingstone to accept and forward account verification code to finish cell-phone-verification when applying a new account or logging in to an account. We have implemented MAC-YURI on an Android smartphone. Experimental results show that MAC-YURI can successfully assist an attacker in obtaining the verification code of an account without the awareness of a steppingstone smartphone owner. Besides, MACYURI also develops an SMS-based mechanism to create a smartphone-based botnet. After such a botnet is created, it is difficult to locate the bot master or the machine a bot will contact in the future. Finally, this paper proposes some recommendations to protect a smartphone against MAC-YURI.

Keywords: cell-phone-verification, smartphone-based botnet, cell-phone security

Full Text () Retrieve PDF document (201505_18.pdf)

Received October 1, 2013; revised November 26, 2013; accepted December 20, 2013.
Communicated by Hung-Min Sun.
* This work was supported by the National Science Committee of Taiwan under Project NSC 101-2221-E-008- 028-MY2 and Project NSC 100-2218-E-008-013-MY3.