"Hey Google, Remind me to be Phished" Exploiting the Notifications of the Google (AI) Assistant on Android for Social Engineering Attacks
Marie Weinz (University of Liechtenstein), Saskia Laura Schroeer (University of Liechtenstein), Giovanni Apruzzese (University of Liechtenstein)
The researchers from University of Liechtenstein showcase how to maliciously exploit a functionality of the Google ecosystem (specifically, of Android) by elucidating how the notifications generated by the Google Assistant may help phishers in reaching their goals. The researchers found that Android users who have Google Assistant check their inbox will be reminded to carry out duties that are solicited in emails that have never been opened before. From a social-engineering perspective, attackers can send specific emails to Android users, and these users will receive notifications (from Google) “reminding” them that a task is soon due, thereby urging them to “fall for phish.” Just imagine: while going through your day, you suddenly receive a notification on your smartphone saying that “An outstanding task is soon due.” Tapping on the notification leads to opening an email which, if malicious, contains ill-purposed content, such as harmful links or malware attachments. The sense of urgency from the unexpected reminder may lead to overlooking some phishing cues—facilitating social engineering attacks.
This subtle (and novel) threat is rooted in the quintessential functionalities of smart (AI-based) assistants that passively analyze our data to improve our digital well-being. Users of these tools must be made aware of this issue to prevent harmful consequences. Therefore, besides describing our discovery and analysing it under a security lens, we also (i) carry out a user study to gauge the potential impact of this issue; and (ii) emphasize some practical takeaways for both users and developers. The investigators disclosed their finding to Google: they acknowledged the possibility of attacks, but stated that no fix to their software will be made. #ecrime2024
Please join Dinil and other members of counter-cybercrime avant garde at APWG eCrime 2024 Boston next month. APWG eCrime presents research into every aspect of cybercrime — from tracking anonymous criminals across the cyberspace to phisher’s exploitation of Gmail notification systems to provoke responses to their lures.
This?year's Symposium on Electronic Crime Research (eCrime 2024) explores the?theme of taking back cyberspace from the criminal plexus?— as framed by pioneering figures of our time. APWG eCrime 2024 Boston will examine technological exposures, policy aspects, economic foundations, and behavioral elements that fuel the multi-billion-dollar cybercrime plexus, searching for those catalyzing, organizing questions that will help turn the tide against cybercrime.
eCrime 2024’s?program includes globe-leading cybercrime?industry?interveners and researchers?—?as well as plenary?addresses by cybersecurity legend Bruce Schneier, fellow to the Harvard Kennedy School’s Berkman Klein Center, and Internet engineering trailblazer David Clark of MIT's Computer Science and Artificial Intelligence Laboratory.
领英推荐
INQUIRIES can be forwarded to: [email protected]
The eCrime agenda: https://apwg.org/event/ecrime2024/
The ticket registration console is at the top right of this page.
NOTE:?Discount ticket codes for eCrime 2024 are available for unsubsidized university researchers,??NGO members and personnel,?government personnel, law enforcement personnel and some trade association members. Delegates from those organizations can contact the event organizers at [email protected].
The accommodations registration page for the eCrime 2024’s conference hotel is here with instructions to reserve at the discounted symposium rate: