Bypass cell-phone-verification through a smartphone-based botnet

Fu Hau Hsu, Chi Hsien Hsu, Chuan Sheng Wang, Pei Hsun Lee, Ruei Min Jiang, Jia Sian Jhang

Research output: Contribution to journalArticlepeer-review


Due to the trend that more and more web services, such as Google, Facebook, and many auction websites, require users to open their new accounts or to login to their accounts through cell-phone-verification, cell-phone-verification has become an important function of cellular phones. However, our research shows that cell-phone-verification is not always reliable. This study proposes a new attack method named MAC-YURI (My ACcount, YoUr ResponsIbility) against cell-phone-verification to show people one possible abuse of smartphones. Through MAC-YURI, an attacker can utilize a compromised smartphone as a steppingstone to accept and forward account verification code to finish cell-phone-verification when applying a new account or logging in to an account. We have implemented MAC-YURI on an Android smartphone. Experimental results show that MAC-YURI can successfully assist an attacker in obtaining the verification code of an account without the awareness of a steppingstone smartphone owner. Besides, MAC-YURI also develops an SMS-based mechanism to create a smartphone-based botnet. After such a botnet is created, it is difficult to locate the bot master or the machine a bot will contact in the future. Finally, this paper proposes some recommendations to protect a smartphone against MAC-YURI.

Original languageEnglish
Pages (from-to)1097-1111
Number of pages15
JournalJournal of Information Science and Engineering
Issue number3
StatePublished - 1 May 2015


  • Cell-phone security
  • Cell-phone-verification
  • Smartphone-based botnet


Dive into the research topics of 'Bypass cell-phone-verification through a smartphone-based botnet'. Together they form a unique fingerprint.

Cite this