# Scan-and-Pay on Android is Dangerous

**Authors:** Enis Ulqinaku, Julinda Stefa, Alessandro Mei

arXiv: 1905.10141 · 2019-05-27

## TL;DR

This paper reveals security vulnerabilities in Android's scan-and-pay mobile payment system, demonstrating how malicious overlays can redirect transactions, and proposes analysis and countermeasures for this threat.

## Contribution

It introduces Malview, a proof-of-concept attack exploiting Android overlays to hijack scan-and-pay transactions, highlighting weaknesses in existing defenses.

## Key findings

- Malview successfully redirects payments to malicious wallets.
- Overlay attacks can compromise transaction integrity.
- Current defenses are insufficient against such overlay exploits.

## Abstract

Mobile payments have increased significantly in the recent years and one-to-one money transfers are offered by a wide variety of smartphone applications. These applications usually support scan-and-pay -- a technique that allows a payer to easily scan the destination address of the payment directly from the payee's smartphone screen. This technique is pervasive because it does not require any particular hardware, only the camera, which is present on all modern smartphones. However, in this work we show that a malicious application can exploit the overlay feature on Android to compromise the integrity of transactions that make use of the scan-and-pay technique. We implement Malview, a proof-of-concept malicious application that runs in the background on the payee's smartphone and show that it succeeds in redirecting payments to a malicious wallet. We analyze the weaknesses of the current defense mechanisms and discuss possible countermeasures against the attack.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.10141/full.md

## Figures

9 figures with captions in the complete paper: https://tomesphere.com/paper/1905.10141/full.md

## References

29 references — full list in the complete paper: https://tomesphere.com/paper/1905.10141/full.md

---
Source: https://tomesphere.com/paper/1905.10141