Activity hijacking attack,one type of attack on Android interface,steal user's information by hijacking the original activity interface that users use.In this paper,the effectiveness of activity hijacking attack was experimentally tested on several versions of Android systems and four necessary characteristics with the malicious behavior of activity hijacking were described.A novel static detection method called AHDetecor (activity hijacking detector) was proposed to detect the activity hijacking behavior based on its code features and multiple data flows.AHDetecor determines whether the test app is undergoing an activity hijacking attack based on the following four conditions:1) whether the test app has the permission to send out the data by analyzing the manifest configuration file;2) whether the test app simultaneously has three components:scanning,hijacking and privacy leakage according to its code features;3) whether the test app has the invoking relationship between the components of scanning and user's input;4) whether the test app has the data flows between the hijacking component and the privacy leaking component.If none of these conditions is satisfied,the detection is terminated and the test app is judged as no activity hijacking behavior.In order to evaluate the effectiveness of AHDetector,eighteen malicious Android apps were designed and implemented to cover all the activity hijacking attack logical paths while other four Android app lockers were adopted to check the false positive judgements.The test results showed that AHDetector can effectively detect malicious apps with activity hijacking attack behavior without any false positive judgement.On the other hand,six popular online detection systems (Andrubis,VirusTotal,visualThreat,Security Housekeeper,Tencent Security and Netqin Security) cannot detect 18 malicious Android apps with activity hijacking attacks.
