Medusa Attack: Exploring Security Hazards of In-App QR Code Scanning
Datasets including appids and downloads/ratings (for Android/iOS apps) of all the tested apps
Source code of analysis tools including RAH presence analysis and RAH registration analysis
Medusa attack is a new attack against mobile (both Android and iOS) apps. In a typical Medusa attack, a meticulously crafted QR code drives the built-in QR code reader to (indirectly) trigger a class of app functions defined as remotely accessible handlers (RAHs), and cheats them to fulfill privileged operations.
Medusa attack is a real, and practical, threat to the security of mobile apps. We conducted an empirical study on 800 most popular Android and iOS apps in two largest mobile ecosystems--the US and mainland China mobile markets, investigated the popularity and severity of MEDUSA attack related security vulnerabilities. Among the 337/800 apps with in-app QR code scanning functionality, more than one third (115/337) of them have potential MEDUSA attack-related vulnerabilities.
Please check more details in our USENIX Security 2023 paper.
Novelty of Medusa Attack
Unlike conventional web-to-app attacks (e.g., embedding malicious HTML code in QR code [1] or crafting a URI that contains malicious URLs [2]) that cheat the victim app to access malicious URLs or execute injected code, Medusa attack aims at manipulating normal execution with polluted data : After an app scans a QR code, it usually uses data extracted from the QR code as parameters to execute local functions (e.g., launching an Activity, creating a Webview to access the app's web server). Once those parameters are not carefully sanitized, the executed functions are hijacked (the Bank-of-China case in Section 5.6.1 demonstrates an Activity hijacking) to load untrusted resources, which help attackers (indirectly) access exposed RAHs. Thus, Medusa attack is more likely a parameter pollution attack and it extends the scope of web-to-app attacks.
Uniqueness and effectiveness of our analysis
The key difference between our analysis and existing techniques is that prior works only consider straightforward dataflows: W2AI attack [2] utilizes Android Intent to load malicious URLs, BabelView [3] conducts a MitM attack to tamper HTTP communication and inject code, PhoneGap attack [1] assumes that HTML5 apps directly execute malicious scripts in payload data. These approaches cannot analyze complex dataflow from QR code scanning to RAH invoking: payload from QR code first goes to an intermediate object (e.g., an Activity, a remote web server) and then returns to the vulnerable Webview. In comparison, our approach first utilizes static analysis to pinpoint all available RAHs, and uses dynamic monitoring instead of dataflow analysis to identify the QR code reader created Webview objects, and which RAHs belong to the created Webviews. This helps precisely determine which RAHs could be triggered by a QR code scanning.
Impact of Medusa Attack
Our study shows a significant portion of popular apps (115/800, 14.38%) are still vulnerable to Medusa attack in 2022, and 80 apps (69.6%) are susceptible to severe security threats. We have contacted developers of the affected apps and 36 of them have confirmed the vulnerabilities. We have received 15 CNVDs including 7 high severity ones.
Why People Scan Malicious QR Codes?
There's a very good chance for a malicious QR code to be scanned: Many QR codes are publicly available (e.g., on the menu of a restaurant) and are easily tampered. Moreover, humans cannot distinguish/are not aware if a QR code is malicious. Another factor that makes Medusa attack feasible is the significant diversity of QR code usage among different countries/regions [4][5]. In some countries (e.g., China) you cannot use one app (e.g., the official QR scanner) to handle different QR codes (especially those offline ones, see the photos below). Instead, you have to use the specific app to parse the corresponding QR code [6][7]. In such cases more apps are exposed to the threats of Medusa attack.
A Malicious QR Code Example
There won't be any content when accessing the URL encoded in the QR code directly. In fact, the URL is just data that is extracted for parameters in the app and passed into a native function, ultimately leading to invocation of the custom RAHs.
[1] X. Jin, X. Hu, K. Ying, W. Du, H. Yin and G. N. Peri. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation, in Proc. ACM SIGSAC conference on computer and communications security (CCS), 2014
[2] B. Hassanshahi, Y. Jia, R. HC Yap, P. Saxena and Z. Liang. Web-to-Application Injection Attacks on Android: Characterization and Detection, in Proc. 20th European Symposium on Research in Computer Security (ESORICS), 2015
[3] C. Rizzo, L. Cavallaro and J. Kinder. Babelview: Evaluating the Impact of Code Injection Attacks in Mobile Webviews, in Proc. 21st International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), 2018