Lie to Me: Abusing the Mobile Content Sharing Service for Fun and Profit

Xu, G., Li, S., Zhou, H., Liu, S., Tang, Y. , Li, L., Luo, X., Xiao, X., Xu, G. and Wang, H. (2022) Lie to Me: Abusing the Mobile Content Sharing Service for Fun and Profit. In: ACM Web Conference 2022, Lyon, France, 25 – 29 April 2022, pp. 3327-3335. ISBN 9781450390965 (doi: 10.1145/3485447.3512151)

Full text not currently available from Enlighten.


Online content sharing is a widely used feature in Android apps. In this paper, we observe a new Fake-Share attack that adversaries can abuse existing content sharing services to manipulate the displayed source of shared content to bypass the content review of targeted Online Social Apps (OSAs) and induce users to click on the shared fraudulent content. We show that seven popular content-sharing services (including WeChat, AliPay, and KakaoTalk) are vulnerable to such an attack. To detect this kind of attack and explore whether adversaries have leveraged it in the wild, we propose DeFash, a multi-granularity detection tool including static analysis and dynamic verification. The extensive in-the-lab and in-the-wild experiments demonstrate that DeFash is effective in detecting such attacks. We have identified 51 real-world apps involved in Fake-Share attacks. We have further harvested over 24K Sharing Identification Information (SIIs) that can be abused by attackers. It is hence urgent for our community to take actions to detect and mitigate this kind of attack.

Item Type:Conference Proceedings
Additional Information:This work is supported by the National Natural Science Foundation of China (grants No.62072046, 61873069, 62102042), Hong Kong RGC Project (No.PolyU15224121), Shanghai Pujiang Program (No.21PJ1410700), the NSF (grants CCF-2046953 and CNS2028748), the ARC Discovery Early Career Researcher Award (DECRA) project DE200100016 and a Discovery project DP200100020.
Glasgow Author(s) Enlighten ID:Tang, Dr Yutian
Authors: Xu, G., Li, S., Zhou, H., Liu, S., Tang, Y., Li, L., Luo, X., Xiao, X., Xu, G., and Wang, H.
College/School:College of Science and Engineering > School of Computing Science

University Staff: Request a correction | Enlighten Editors: Update this record