Detecting Unintended Redirects to Malicious Websites on Android Devices Based on URL-Switching Interval

Website clicks that redirect Android-phone users to malicious websites with fake virus alerts or phishing attacks are increasing exponentially. Although a uniform resource locator (URL) blocklist is considered a suitable countermeasure to such attacks, it is difficult to efficiently identify malicious websites. To the best of our knowledge, no research has focused on detecting attacks that redirect Android-phone users to malicious websites. Therefore, we propose a redirect-detection method that focuses on the URL bar-switching interval of Android-based Google Chrome browser. The proposed method, which can be easily installed as an Android application, uses the Android accessibility service to detect unintended redirects to malicious websites without collecting information about these websites in advance. This paper details the design, implementation, and evaluation results of the proposed application on an actual Android device. We determined the threshold values for the number of times the URL bar switches and the elapsed time to determine redirects to malicious websites for the proposed method. Based on the results, we investigated the causes of false-positive detection of redirects to benign websites and offer solutions on handling them. We also present the threshold values that can minimize the false positive and negative rates, as well as the detection accuracy of the proposed method based on these threshold values. Additionally, we present the evaluations results based on the access logs of actual users participating in the WarpDrive project experiment, which indicate that the proposed method minimizes false positives and successfully detects most redirects to malicious websites.