Bypass Cell-phone-verification Through a Smartphone-based Botnet

Due to the trend that more and more web services, such as Google, Facebook, and many auction websites, require users to open their new accounts or to login to their accounts through cell-phone-verification, cell-phone-verification has become an important function of cellular phones. However, our research shows that cell-phone-verification is not always reliable. This study proposes a new attack method named MAC-YURI (My ACcount, YoUr ResponsIbility) against cell-phone-verification to show people one possible abuse of smartphones. Through MAC-YURI, an attacker can utilize a compromised smartphone as a steppingstone to accept and forward account verification code to finish cell-phone-verification when applying a new account or logging in to an account. We have implemented MAC-YURI on an Android smartphone. Experimental results show that MAC-YURI can successfully assist an attacker in obtaining the verification code of an account without the awareness of a steppingstone smartphone owner. Besides, MACYURI also develops an SMS-based mechanism to create a smartphone-based botnet. After such a botnet is created, it is difficult to locate the bot master or the machine a bot will contact in the future. Finally, this paper proposes some recommendations to protect a smartphone against MAC-YURI.