Julinda Stefa

Massimo La Morgia, Alessandro Mei, Francesco Sassi et al.

In the last years, cryptocurrencies are increasingly popular. Even people who are not experts have started to invest in these securities and nowadays cryptocurrency exchanges process transactions for over 100 billion US dollars per month. However, many cryptocurrencies have low liquidity and therefore they are highly prone to market manipulation schemes. In this paper, we perform an in-depth analysis of pump and dump schemes organized by communities over the Internet. We observe how these communities are organized and how they carry out the fraud. Then, we report on two case studies related to pump and dump groups. Lastly, we introduce an approach to detect the fraud in real time that outperforms the current state of the art, so to help investors stay out of the market when a pump and dump scheme is in action.

Enis Ulqinaku, Julinda Stefa, Alessandro Mei

Mobile payments have increased significantly in the recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. These applications usually support scan-and-pay -- a technique that allows a payer to easily scan the destination address of the payment directly from the payee's smartphone screen. This technique is pervasive because it does not require any particular hardware, only the camera, which is present on all modern smartphones. However, in this work we show that a malicious application can exploit the overlay feature on Android to compromise the integrity of transactions that make use of the scan-and-pay technique. We implement Malview, a proof-of-concept malicious application that runs in the background on the payee's smartphone and show that it succeeds in redirecting payments to a malicious wallet. We analyze the weaknesses of the current defense mechanisms and discuss possible countermeasures against the attack.

Enis Ulqinaku, Luka Malisa, Julinda Stefa et al.

We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by any Android application running with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input into other applications. Leveraging this attack, a malicious application running on the system is therefore able to profile user's behavior, capture sensitive input such as passwords and PINs as well as record all user's social interactions. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the system background and records all input to foreground applications. We evaluated Hoover with 40 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.