SPECIAL SECTION ON SECURITY AND PRIVACY IN EMERGING DECENTRALIZED

COMMUNICATION ENVIRONMENTS

Received November 9, 2019, accepted November 29, 2019, date of publication December 10, 2019,
date of current version December 23, 2019.
Digital Object Identifier 10.1109/ACCESS.2019.2958837

Salaxy: Enabling USB Debugging Mode

Automatically to Control Android Devices
HUI LU 1 , XIAOHAN HELU 1 , CHENGJIE JIN 1, YANBIN SUN 1,

MAN ZHANG 2 , AND ZHIHONG TIAN 1

1 Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China
2 Peng Cheng Laboratory, Shenzhen 518055, China
Corresponding authors: Yanbin Sun (sunyanbin@gzhu.edu.cn) and Man Zhang (zhangm@pcl.ac.cn)
This work was supported in part by the Guangdong Province Key Area Research and Development Program of China under
Grant 2019B010137004, in part by the National Natural Science Foundation of China under Grant 61972108, Grant U1636215, and
Grant 61572153, in part by the National Key research and Development Plan under Grant 2018YFB0803504, and in part by the
Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2019).

ABSTRACT Android system attackers have proposed various attack schemes to invade users’ privacy. One
way is to use ADB (Android Debug Bridge) with advanced permissions but low protection. In order to set up
an ADB connection successfully, the USB debugging option of the target device must be turned on. However,
the existing ADB-based attack schemes have not proposed how to enable the USB debugging, so it couldn’t
be considered that their attack chain is completable. This paper presents an approach for attacking Android
devices by exploiting JavaScript to enable USB debugging automatically in the device’s system settings,
which fills in the gaps of existing solutions. This method can bypass the security mechanism of USB debug-
ging mode and obtain an ADB connection without the user’s authorization. It can also bypass the alerts that
ADB Action Monitor displays when sensitive behaviors are detected. Based on AccessibilityService, Auto.js
and Scrcpy, an application called Salaxy is designed and implemented to demonstrate the effectiveness of
this method. Besides, Salaxy can monitor and manipulate Android devices remotely.

INDEX TERMS ADB, android, attack, security, smartphone, USB debugging, vulnerability.

I. INTRODUCTION In fact, the privacy of Android users has been challenged

With the rapid development of Internet technology, various
new application technologies and patterns are emerging that
people’s lives more convenient, such as the introduction of
edge computing [1], [2], substantial improvements on the
efficiency of network services; the development of wireless
sensors [3] and the improvement of sensor network manage-
ment schemes [4]–[6], making the Internet of Things (IoT)
more practical and driving the development of Internet of
Vehicles (IoV) and its security solutions [7]. The decentral-
ized mode brought by blockchain technology has provided
novel security thinking for network data [8], and the emer-
gence of mobile smart devices has subverted the status of tra-
ditional computers on the Internet and has also brought about
tremendous changes to human lifestyles.
Today, mobile smart devices are rapidly gaining popularity.
The Android OS (operating system) developed by Google is
one of the major OSs for mobile devices. Its open-source and
extensible features make it attractive and competitive, but at
the same time, they easily attract the attention of attackers.
The associate editor coordinating the review of this manuscript and
approving it for publication was Maurizio Tucci.
by various malware and attacks, such as Soundcomber [9],
which extracts a small amount of sensitive information from
the audio sensor; TouchLogger [10], which exploits the side
channel to infer keystrokes; SimBad [11], which is hidden
in the Google Play Store for users to download and install.
To avoid malicious activities, Google has taken some security
measures, such as developing anti-malware software, such as
Malwarebytes [12], detecting malicious applications in the
Google Play Store more rigorously, and using sandboxes to
restrict software access to the system; each of these measures
have limited malware attacks to some extent.
However, attackers are constantly exploring new solutions
to challenge Android security design. ADB is a multipur-
pose command-line tool that allows the developer to com-
municate with the connected Android device through a USB
cable. ADB provides many functionalities, including file
transfer, shell access, application installation and debugging,
and port forwarding. ADB very effectively allows applica-
tion developers to obtain maximum privileges on Android
smart devices, which draws the attention of attackers.
The first malware to exploit ADB resource exhaustion was
DroidDream [13], which sends malware to Android devices

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/
VOLUME 7, 2019 178321
 H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
by installing a rootkit on the device. Hwang et al. [14]
presented some feasible, stealthy attacks that can be per-
formed with ADB. Windows malware [15] attempted to
infect Android devices to steal private data used ADB as its
main tool. Amarante et al. [16] have already identified three
attack scenarios based on the use of ADB and developed
proof-of-concept scripts that can extract private data from
a USB-connected device connected to a computer. Weizhi
Meng et al. designed a new type of charging attack, called a
juice filming attacks [17], based on a standard USB connec-
tor and an HDMI port, which is able to steal users’ private
data through automatically video-capturing their inputs with-
out drawing the attention of users. Reference [18] proposed
a scheme for obtaining the system application logs using
ADB to perform hijacking attacks. It could be seen that many
attacks against the Android system exploit the vulnerabilities
of the ADB tool—if no proper protection of ADB has been
enforced when using a USB connection, it may compromise
the privacy of smart device users. Consequently, Google has
strengthened the protection of ADB, and USB debugging
mode is disabled by default and has to be explicitly enabled in
the developer options menu. To prevent unauthorized access
via the ADB protocol, secure USB debugging was introduced
in Android version 4.2.2. [19]. A requirement was added
that each ADB session has to be authenticated. This secu-
rity mechanism ensures that USB debugging and other ADB
commands cannot be executed unless the user can unlock the
device and acknowledge the dialog.
The three attack scenarios proposed by Amarante et al. [16]
clearly noted that the attack will succeed only if USB debug-
ging is enabled. Turning on USB debugging is quite com-
plex. First, developer mode must be opened, as the developer
options screen is hidden by default. To make it visible, go to
Settings > System > About phone, tap Build number seven
times [20] and enter the lock screen password. Return to the
previous screen to find Developer options at the bottom. Next,
tap Developer options, and then tap USB debugging. When
the Android device is connected to an unknown host, the sys-
tem will display a dialog window asking whether to accept an
RSA (Rivest–Shamir–Adleman) key that allows debugging
through this computer and needs to be confirmed. How to
convince users to perform these operations is a problem that
cannot be ignored. In fact, a way to enable secure USB debug-
ging is not given in the above solutions and other ADB-based
attacks. Therefore, this mechanism seems to be very effective
in preventing ADB-based attacks.
This paper presents an approach to enable USB
debugging automatically in Android devices based on
AccessibilityService. This method can bypass the secu-
rity mechanism of USB debugging mode and bypass the
improved security mechanism design of USB debugging
mode, which was proposed in [21]. An attack model,
called Salaxy, is implemented. Salaxy is based on the
C/S (client/server) architecture, combining Auto.js and
Scrcpy (i.e., the two usual open-source software programs).
178322
The Salaxy sever is controlled by the attacker, and the client
is installed on the victim’s Android phone. Salaxy can exe-
cute preset scripts to enable USB debugging, connect to the
server, and then monitor and manipulate the victim’s Android
smartphone. The method is simple, easy and does not need to
avoid the phone’s anti-virus software and is suitable for the
Android versions 5.0 or higher.
We propose an attack method for Android devices that
effectively monitor and manipulate Android phones.
We design and implement Salaxy, a proof-of-concept
application, to demonstrate this approach.
Salaxy combines harmless software(Auto.js and Scrcpy) to
perform a malicious task. It is simple and easy to implement
and will not alert anti-virus software.
We add an induced interface to Auto.js. The induced inter-
face is just a simple UI (User Interface) to communicate with
the Salaxy Server and does not require sensitive permissions.
We modify the socket of Auto.js so that it automatically con-
nects to Salaxy Server each time it starts.
We develop two kinds of automated JavaScript scripts to
turn on the USB debugging mode(customized and generic)
that are stored on the server-side and do not require the user
to download. The scripts will not attract the attention of the
user when they run.
We test the Salaxy on Huawei Honor 10, OnePlus6 and
Xiaomi 6X phones, proving that Salaxy can video-capture
and manipulate the target phone whose version is Android
5.0 or higher.
II. BACKGROUND
A. ACCESSIBILITYSERVICE [23]
Accessibility services provide UI enhancements to assist
users with disabilities in using Android devices and apps.
They run in the background and receive callbacks by the
system when AccessibilityEvents are fired. Development of
an accessibility service requires extending the Accessibil-
ityService class and implementing its abstract methods—
onAccessibilityEvent() and onInterrupt(). These two meth-
ods will always run in the background once the service is
started. When the UI changes, an AccessibilityEvent is gen-
erated which contains the type of object being acted upon,
the descriptive text, etc. An accessibility service gets informa-
tion about a UI event through the onAccessibilityEvent() call-
back method. Then, the onAccessibilityEvent() is executed to
implement the function customized by a developer.
Google’s motivation in developing Accessibility services
was to assist users with disabilities, such as visual impair-
ments, color vision impairments, hearing loss, and mobility
issues. However, its powerful features also provide conve-
nience for attackers. This paper takes advantage of the func-
tions of Accessibility services to turn on USB debugging
mode automatically. This inspiration comes from the work
of Tian et al. [22], they navigated to the settings menu using
touchscreen automation and allow USB debugging from their
attacking machine
VOLUME 7, 2019
H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
B. AUTO.JS [24]
Auto.js is an open-source JavaScript automation program
running on the Android platform that does not require root
access. The functionality of Auto.js is based on Accessibil-
ityService. It provides functions such as data monitoring,
image monitoring, widget operating and automated workflow
(through running a script), which is similar to UIAutomator,
Google’s UI testing framework, but doesn’t require a com-
plicated environment configuration like UIAutomator. You
just need to install Auto.js on your Android device to use it.
In addition, by binding your computer’s IP (Internet Protocol)
address to Auto.js (one of the features that Auto.js provides),
you can operate your computer to make Android devices exe-
cute remote scripts. We developed Salaxy based on Auto.js,
augmented an induced interface, and changed the value of the
IP address variable to a fixed one (the attacker’s IP address)
at the code level. In other words, you could bind Auto.js to
any IP address you want but in Salaxy, it will automatically
be bound to the attacker’s IP address.
C. SCRCPY [25]
Scrcpy is an ADB-based command-line tool that displays
and controls Android (version 5.0 and higher) devices con-
nected through a USB cable or over TCP/IP (Transmission
Control Protocol/Internet Protocol). It works without any root
access but requires USB debugging on in the system set-
tings. Scrcpy is for GNU/Linux, Windows and Mac OS. Once
the Android device is connected to a computer with Scrcpy
installed by a USB cable, the Android device screen can be
viewed on the computer and the screen status changes can be
synchronously received. The computer mouse, keyboard and
other control devices can also be used to operate the Android
device.
In our attack process, after opening USB debugging mode
through running a remote script, we will launch Scrcpy
to manipulate Android phones. The final effect is shown
in Figure 1.
FIGURE 1. Effect of running Scrcpy. If the Allow ADB debugging in charge
only mode option is on, Scrcpy can monitor the phone without the ‘‘MTP’’
mode.
VOLUME 7, 2019
D. THREAT MODEL
Throughout the paper, we assume an extra public USB charg-
ing station controlled by an attacker, tries to attack the con-
nected Android device through a USB cable. We assume
that Salaxy is disguised as a software that provides some
kinds of functionality (such as a charging manager used with
the charging station), and the victim downloads and installs
Salaxy for their own needs. We assume that the target phone
provides the Allow ADB debugging in charge only mode
option in the system settings (which could find in Huawei
phones and it is easy for us to turn it on via running a remote
script). If not, we assume that when Salaxy prompts the user
to select ‘‘MTP’’ mode when charging, the user will do so.
The threat model is appropriate because any malware tricks
victims into installing and activating itself by providing users
with features they want or displaying some discount ads. The
threat model is based on the users’ obey consciousness. When
users need the features of the software, they often follow the
software’s prompts to operate the mobile phone.
FIGURE 2. The Allow ADB debugging in charge only mode option in
Huawei Honor phones.
III. DESIGN & IMPLEMENTATION
By combining AccessibilityService’s ability to monitor the
UI events of Android phones and act on behalf of users,
Auto.js’s ability to run scripts automatically and Scrcpy’s
ability to capture phone screens in real time, Salaxy can
turn on USB debugging mode and then monitor and manipu-
late the victim’s device without being detected by anti-virus
software. Salaxy consists of multiple components as shown
in Figure 3. What we have to be aware of is that the Auto.js
client has been bound to the Auto.js debugging terminal con-
trolled by an attacker. Our attack procedure using Salaxy is
divided into five steps:
1) When the user clicks on Salaxy Client, first he will see
the induced interface which prompts him to enter the
lock screen password, and then he does it. So the Salaxy
Server could receive the password from the client.
2) After entering the password, the Auto.js client interface
is displayed. The user turns on the AccessibilityService
according to the prompt of Auto.js.
3) The attacker uses auto.js debugging terminal to
remotely execute scripts stored on the attack side.
178323
 H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
4) When scripts finish running, the USB debugging of the
Android phone will be turned on.
5) The attacker runs Scrcpy on the attacker side to manip-
ulate the victim’s phone.
It should be noted that we don’t require the USB cable
connected before step 5. In fact, the first four steps could be
completed in the wireless connection.
FIGURE 3. A graphical depiction of our attack process based on Salaxy.
Salaxy Server starts the service listener and waits for the
client to connect. The MainActivity class of Salaxy Client
implements the Runnable interface, which defines the IP
address of Salaxy Server and port. When the user starts the
Salaxy Client, it will instantiate a Socket (Salaxy Server’s IP
address, port) and request to connect to the Salaxy Server,
then the client and server communicate through a socket.
At the same time, the Induced interface is shown.
A. INDUCED INTERFACE
For most Android smartphones, enabling developer mode
requires a password if the lock screen password is set. Cur-
rently, most smartphone users have set a lock screen pass-
word. Only a small number of disabled or elderly people
have not. Therefore, obtaining the lock screen password of
a victim’s smartphone is a very important part of the attack
process. The appearance of the induced interface comes from
the phone’s lock screen interface. It is the first interface
shown when running Salaxy, which prompts a user to enter
his lock screen password. This link is a deceptive method, not
a technical one because the interface is just used to obtain the
password entered by the user instead of performing the pass-
word verification. This design is based on many observations.
As people become more reliant on smartphones, mobile users
frequently unlock their phone screens every day, so they are
often not too sensitive to software behaviors that require a
lock screen password.
The interface provides a 4-digit password option and a ges-
ture one. There are four input boxes set in the 4-digit pass-
word interface. When the user enters four numbers, they will
be sent to the Salaxy Server. The pattern interface provides a
nine-square (3∗ 3) grid. The implementation of this interface
is mainly divided into the following parts:1) Icon. Define a
178324
point class to display the icon, which is the dot in the nine-
square grid. It stores some attributes, such as the position
of the top, bottom, left, and right of the current point, the
state of the point, and its index. 2) Draw the pattern area.
Define a GesturePsdView class to draw the nine-square grid,
and add nine point-type objects to represent the nine icons.
In this class, the color of the selected point and the color
of the line are defined. 3) Draw the gesture path. Override
the onTouchEvent() method, which listens to TouchEvent
events such as ACTION_DOWN, ACTION_MOVE, and
ACTION_UP events to record the path when the user con-
nects different points by drawing. 4) Obtain the pattern.
Salaxy determines the position of the point that the user’s fin-
ger touches, records the index of each point with the ‘‘index’’
attribute, and then saves the index of the touched point in
sequence according to the point that the user’s gesture passes
(from top to bottom, the order of the points is 1, 2, 3, 4, 5, 6, 7,
8, 9). The entire recorded process does not allow point repeti-
tion. Finally, a sequence of user connection points is obtained
and sent to the server. Salaxy Client writes data to the socket
through a DataOutputStream class, the Salaxy Server receives
the stream through DataInputStream, and then uses the read-
UTF() method to read the data. As a result, the Salaxy Server
receives the plaintext password entered by the user.
B. SCRIPT LOGIC DESIGN
For security reasons, developer mode on the Android system
is disabled by default, and it cannot be opened by means such
as executing system commands in the background. Navigate
to the settings menu using the touchscreen and click it is the
only way to enable it. To prevent users from accidentally turn-
ing on developer mode, Android hides this option from the
system settings menu. Take the Huawei Honor series smart-
phones as an example. The way to turn on USB debugging
mode is to go to Settings > System > About phone, select
Build number seven times, enter the lock screen password,
return to the previous screen, and tap Developer options >
USB debugging. A dialog window appears with ‘‘Allow USB
debugging?’’: click OK. Apparently, turning on USB debug-
ging mode is a tedious process that requires human interven-
tion. Therefore, USB debugging mode is difficult to exploit
in traditional attack scenarios.
The method presented in this paper is based on Accessi-
bilityService and Auto.js. We wrote simple scripts that con-
vert the above operations into automation. We investigated
the methods of turning on USB debugging mode for differ-
ent brands Android smartphones, such as Huawei, OnePlus,
Xiaomi, Vivo, Meizu, and Coolpad, and found that they are
similar. One of the differences between these devices is the
password verification for opening developer mode. In the
above brands, Xiaomi and Meizu smartphones do not require
a password when turning on developer mode, which makes
the attack easier. The other difference is the locations of
smartphone options, such as the System option of a Huawei
smartphone, which is located at the bottom of the Settings
menu (we need to scroll down to find it). However, it is at
VOLUME 7, 2019
H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
the top of the Xiaomi smartphone so that we can omit the
scrolling operation. This paper takes a Huawei smartphone
as an example to illustrate the implementation of turning
on developer mode, as Huawei smartphones have the most
complicated steps, requiring screen scrolling and password
verification. The complete operation of allowing USB debug-
ging for Huawei mobile phone is Settings - System - About
Phone - click ‘‘Build Number’’ 7 times - System - Developer
Option - USB debugging - OK. The script behavior is shown
in Figure 4.
FIGURE 4. Process of the script for turning on USB debugging. The
process will be hidden below an opaque floating window.
Under the condition that USB debugging is allowed, when
the user connects his mobile phone to the USB cable,
the Android system will detect whether the currently con-
nected host is in the whitelist for ADB of the mobile phone,
if not, a dialog box will be displayed to ask whether to accept
the RSA key that allows debugging through this host, and OK
must be selected. The Salaxy script will continuously monitor
the OK widget. Once the dialog that requires user confirma-
tion appears, it will be confirmed by the script immediately
so that the user has no time to check and stop it. The script
behavior is shown in Figure 5.
FIGURE 5. Process of the ADB authorization confirmation script.
The UI of the mobile phone changes according to the exe-
cution of a script, which will easily attract the attention of the
VOLUME 7, 2019
user. To make the changes of the phone’s UI hidden from the
user, we will open an opaque floating window when the script
starts and close it after the USB debugging is successfully
turned on. Figure 4 illustrates when the floating window is
opened and closed.
C. SCRIPTWRITING
Auto.js provides two methods to click on an option in the
smartphone menu: widget-based and coordinate-based oper-
ations.
1) WIDGET-BASED OPERATIONS
A widget-based operation refers to selecting a widget on the
screen and getting its attributes or manipulating it. Generally,
widget-based operations have good compatibility with differ-
ent smartphone models. The general software interfaces are
composed of many widgets; for example, the image part is a
picture widget (ImageView), and the text part is a text widget
(TextView). A widget has various attributes, including text
(text), description (desc), class name (className), and id.
We usually use some attributes of the widget to search for it,
show in List1.
List 1 Searching for the Settings Widget
//Searching for the Settings widget
Find (‘‘Settings’’ widget) {
widgetsSet = widgets with the class name
‘‘android.widget.TextView’’ in the current view;
targetWidget = a widget with the word ‘‘Settings’’ in
widgetsSet;
Looking for the ‘‘Settings’’ widget in the current view{
If (found):
Return an object of the targetWidget;
Else:
Return false;
Wait for the view to change and look for it again;
}
}
Salaxy’s script uses the class name attribute to search for
the Settings widget, and the click() method is used to click on
it, as shown in List 2:
List 2 Tapping the Settings Widget
//Tapping the Settings widget
If (Find (‘‘Settings’’ widget) = an object of the Settings
widget):
Do click();
Else:
Unable to click;
Some widgets have a clickable attribute of false, which
means that they cannot be tapped through the click() function.
Thus, we should call the bounds() function to obtain their
coordinates and then click on the coordinates. For example,
if we need to click on the System and About phone widgets,
178325
 H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
we cannot call click() directly but rather bounds(). The pseu-
docode is shown in List 3.
List 3 Obtain the Coordinates of the System Widget and Click
on It
// Obtain the coordinates of the System widget and click
on it
targetWidget=Find(‘‘System widget’’);
coordinates = targetWidget.bounds();
x-axis = coordinates.right;
y-axis = coordinates.centerY();
click(x-axis,y-axis);
If the widget we are looking for does not exist in the current
view, we need a swipe operation to scroll down the phone
screen, which is achieved by scrolling down the list widget
named ‘‘android.support.v7.widget.RecyclerView’’. The list
widget itself provides a scrollForward() method for users to
call. For example:
List 4 Scrolling Down
//Scrolling down
listWidget = Find (‘‘android.support.v7.\\
widget.RecyclerView’’);
Call scrollForward() method of listWidget{
swipe from the top of listWidgetto the bottom
of it;
} auto.Js provides floaty.rawwindow() function to set floating
The final step in opening the developer mode is to enter
the lock screen password, so when the build number has been
tapped 7 times, the password verification interface will pop
up. For a text box widget, Auto.js provides a setText() func-
tion to input data. The password is entered via setText():
List 5 Enter the Lock Screen Password
//Enter the lock screen password
pwdWidget = Find (target widget with id pass-
word_entry);
password = ‘‘1111’’; // suppose the password we got from
the induced interface is 1111
setText(password) {
Call the setText() method of pwdWidget;
Enter ‘‘1111’’;
} );
2) COORDINATE-BASED OPERATIONS
In practice, we encounter some special cases. some wid-
gets not only have a clickable attribute of false but also
do not provide the above-mentioned bounds() function to
obtain the coordinates, or some elements of the UI cannot
be clicked because they are not a widget. for this reason,
the widget-based approach is not always efficient, and a
coordinate-based approach is needed.
Android smartphones take the point in the upper-left
corner of the screen as the coordinate origin. The screen
178326
size of each mobile phone is different, resulting in differ-
ent coordinate data for the same position, so the universal-
ity of the coordinate-based method is worse than that of
the widget-based method. However, the advantage of the
coordinate-based method is that we do not need to consider
the clickable attribute of the widget. The script can perform
the click operation with given only the coordinates. In this
experiment, the numeric keypad of the OnePlus6 smartphone
is not a widget. We need to click Next in the lower-right
corner of the keyboard when the password is entered. The
solution is shown in List 6.
List 6 Click on the Location Where the Coordinates Are (900,
1760)
// Click on the location where the coordinates (900, 1760)
are
Set the parameter of the phone screen size to (1080, 1920);
Call the method to click (900, 1760);
Affected by The resolution of the phone screen, the accu-
racy of the coordinate-based method is slightly lower than
that of the widget-based method. However, sometimes The
Widgets May Not be clickable. The widget-based and
coordinate-based methods Have Their Own Strengths. Our
solution uses the combination of the two methods to complete
the script.
The implementation of the floating window is very simple.
windows. We only need to define an opaque floating window
object, setting its size to fill the screen. We could even set
some text on the floating window as needed. for example:
List 7 Set the Floating Window
// Set the floating window
floatyWin = floaty.rawWindow(
gravity = ‘‘center’’;
background color = ‘‘#FCFCFC’’;
size = full screen;
words = setText(
//set some words on floatyWin
gravity = ‘‘center’’;
color = ‘‘black’’;
text = ‘‘Loading. . . ’’;
);
Make floatinWin Untouchable; // Prevent users from
accidentally touching
setTimeout{
Close floatinWin after 8 seconds;
};
IV. EVALUATION
A. SCRIPT EXECUTION SUCCESS RATE
We take developer mode as an example. The number of wid-
gets needed to open developer mode is recorded as the path
VOLUME 7, 2019
H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices

length. The actions that need to be performed during this
process are as follows: find the widget (Find), click the wid-
get (Click), scroll the screen (Scroll) and input the password
(Write), which are known as F, C, S, W for short. According to
the path length and the action sequence, three most represen-
tative Android smartphones are selected as the experimental
objects: Huawei Honor 10, OnePlus6 and Xiaomi 6X. Their
developer mode startup path is as follows:
Huawei Honor 10: go to Settings > System > About
phone, tap Build number seven times, and enter the lock
screen password. (path length: 5)
OnePlus6: go to Settings > About phone, tap Build num-
ber seven times, enter the lock screen password, and tap Next.
(path length: 5)
Xiaomi 6X: go to Settings > My device > All parameters,
and tap Build number seven times. (path length: 4)
The operation model abstracted from the paths above is
shown in Table 1.
TABLE 1. Operation analysis of turning on developer mode.
which will reduce the success rate. However, to ensure com-
patibility, the generic script must tolerate a drop in the success
rate. We ran the generic script on three experimental subjects
at the same time and repeated the experiment 400 times. The
results are shown in Figure 6. The main reason for the low
success rate of the generic script on OnePlus6 is that the path
inconsistency causes the phone to perform additional opera-
tions.
FIGURE 6. The success rate of the custom script and the generic script.
After developer mode is enabled, we will similarly perform
the script to enable USB debugging mode and then run Scrcpy
on the Salaxy Server to monitor and manipulate the victim’s
Android smartphone.
Many times the reason for the failure is that some target
widgets are located at the top of the interface of the phone
(such as About phone widget of Huawei and My device wid-
get of Xiaomi), so the script may accidentally tap the wrong
widget when the notification bar activates from the top.

B. TIME PERFORMANCE OF THE SCRIPTS

To verify the advantages of the scripting operations, we tested
the time required for manual operation and script execution
about turning on developer mode. We asked 200 testers to
Obviously, of all the types of mobile phones that have been manually open the developer mode for Android phones and
investigated, Huawei Honor 10 requires the most operations, then used the scripts to do the same for 200 times. In fact, after
while Xiaomi 6X requires the least. Moreover, it has been 100 attempts, we found that the time consumption of the three
observed in the experiment that the screen-scrolling opera- mobile phones basically stabilized. The results are shown
tion takes the most time, and the range of scrolling has to in Figure 7(we selected 100 experimental data for plotting).
be considered, which makes the success rate unsatisfactory.
In other words, the screen-scrolling operation can be consid-
ered to have the highest complexity. Considering that turning
on developer mode on the Xiaomi 6X does not require a lock
screen password, the success rate of the attacks on this system
should be the highest among the three.
We customized scripts to turn on developer mode automat-
ically for each experimental object and conducted 400 exper-
iments on each experimental object. After 100 experiments,
we found that the success rate distribution of the three mobile
phones basically stabilized. The results are shown in Figure 6.
However, in actual attacks, the brand of the victim’s smart-
phone is often uncertain. We observe the similarities and dif-
FIGURE 7. The time required for manual operation and script execution.
ferences among the paths of the three experimental objects
and then set up some branch paths in the script. Finally, It could be seen that running scripts can save two-thirds of
a generic script was generated to turn on three experimental the time compared to manual operations on the three experi-
subjects’ developer modes simultaneously. The disadvantage mental objects. The script for Xiaomi 6X has the best perfor-
of the generic script is that it needs to search for more widgets, mance.

VOLUME 7, 2019 178327

 H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
The Huawei and OnePlus smartphones take approximately
the same amount of time in manual operation because they
have the same path length. Xiaomi takes the least amount
of time because no password verification is required. From
the test results of the script executions, the Xiaomi smart-
phone, which has the shortest path length and the least
script actions, takes the least amount of time. The average
amount of time consumed by the Huawei and OnePlus phones
are almost the same, but the stability of Huawei script is
better.
Ultimately, we can conclude that the method of running a
script to turn on developer mode will greatly reduce the time
consumption. The shorter the path and the fewer the opera-
tions, the more efficient the script is.
V. DISCUSSION
A. APPLICATION SCENARIOS
When applying the attack theory method into practice,
the real scene needs to be considered. We need to investigate
the characteristics of a target victim and modify the UI or
functions of Salaxy according to those characteristics.
1) USING SALAXY AT A PUBLIC CHARGING STATION
We propose the use of Salaxy at a public USB charging sta-
tion, which is inspired by a juice filming attacks [17]; this
method can automatically video-capture user inputs during
charging, and the attackers can easily manually recover users’
private data, such as personal identification numbers (PINs)
and email accounts, based on the recorded video. In our
approach, Salaxy is camouflaged as an app for use with
charging stations. Before charging the device at a charging
station, users must install and register Salaxy. Less vigilant
users will do so and connect the phone with a USB cable
of the charging station. Then, we have a high probability
of turning on USB debugging mode in the victim’s Android
device and being able to set up a video transmission between
the Salaxy server and the victim’s device. Compared with
juice filming attacks, Salaxy is able to bypass the security
mechanism of USB debugging mode and monitor the screen
of the victim’s devices without any hardware, such as the
VGA/USB interface. Furthermore, Salaxy can manipulate the
device remotely, but juice filming attacks cannot. Last but not
least, Salaxy can still maintain the connection via a TCP/IP
connection after the user unplugs the USB cable from the
charging station.
2) DEPLOYED IN SMART CAMPUS INFRASTRUCTURES
Smart campuses use technology and infrastructure to sup-
port and improve campus services, teaching, learning, and
research [26], which will greatly promote the reform and
innovation of the education model. Smart campuses provide
campus network services, learning and research facilities to
teachers and students and maintain and manage many under-
lying devices and their data [27]. For Salaxy, smart campuses
are a good place to hide probably.
178328
3) SMART NETWORK TVS
IPTVs (Internet Protocol Televisions) [28] are a combination
of Internet and TV technology. They have been used on a
large scale and are moving toward intelligence. Due to the
portability of the Android system, most of the smart TVs
on the market today are Android-based. Smart IPTVs must
rely on the network and a charging cable, which provides the
possibility of a Salaxy attack.
B. SHORTCOMINGS OF SALAXY
1) ‘‘ CHARGE ONLY ’’ EFFECTIVENESS
One of the Salaxy’s drawbacks is that when the user selects
‘‘charge only’’ when charging, the fifth step of the attack
method(shown in Figure 3) will be ineffective, because Scr-
cpy, one of the components of Salaxy, requires ‘‘MTP’’ mode
to monitor the phone. In the Threat Model(Section II-D),
we assume that the target phone provides the Allow ADB
debugging in charge only mode option in the system settings,
but in fact, many brands of Android phones do not provide
this option, so we still require the ‘‘MTP’’ mode selected by
the user. So whether the attack is successful depends on the
user’s vigilance against the security of the ‘‘MTP’’ mode.
2) PROBABILITY OF CORRECT PASSWORD
The other weakness is whether we can receive the correct lock
screen password depends on the user’s input in the induced
interface. If the user just randomly enters a string of numbers,
we won’t be able to open the developer mode of his phone
which will prevent subsequent attacks. Overall, getting the
correct password is a probability event.
3) EQUIRES HUMAN INTERVENTION
Besides, the integration of Auto.js and Scrcpy needs further
improvement. The two separate functional modules must be
connected through an ADB command. Executing this ADB
command requires manual operation, but we hope to fully
automate the attack process, which will be a challenge in the
future.
VI. RELATED WORK
Amarante et al. [16] identified three different scenarios and
present three methods based on the use of the Android Debug
Bridge tool to furtively extract private data from Android
mobile phones in those cases. In the first scenario, the mobile
phone whose Android version is 2.2 is rooted and its USB
debugging is on. In the second, the mobile phone with
Android 4.0.4 is unrooted but its USB debugging is still on.
In the third, the version is 5.0 with unrooted and the USB
debugging is off. However, it was not possible to extract data
from the device in the third case. By contrast, Salaxy requires
neither root privileges nor an opened USB debugging.
Tian et al. [29] surveyed and categorized USB host-related
attacks. On their basis, Opasiak et al. [30] considered a
broader spectrum of the USB-related attacks and evaluated
the security of the Secure USB debugging from the USB
VOLUME 7, 2019
H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices
connectivity perspective. With the Secure USB debugging
mechanism, when the Android mobile device is connected to
a given host for the first time, it requires a host authentica-
tion. There is no data integrity mechanism in any other step
of the ADB communication. They presented an approach to
compromise Android-based devices by exploiting the ADB
protocol using Man in the Middle (MitM) attacks. They con-
nected the victim’s phone to the attacker’s computer. When
the phone sends A_AUTH TOKEN, the attacker’s computer
forwards the message to the trusted host and captures a
valid signature for this challenge. This signature will be sent
back to the attacker’s host and then to the victim’s phone.
Finally, the phone will authenticate the attacker’s computer
as a trusted host and grant access to all device resources.
However, this attack requires activation of USB debugging on
the mobile phone and requires physical access to the host that
the victim previously trusted. That is, they did not propose a
way to turn on the USB debugging option automatically.
Tian et al. [22] proposed a solution to bypass the Android
security mechanisms through AT commands. They found that
AT commands accessed through the USB interface allow
almost arbitrarily powerful functionality without any authen-
tication required. They retrieved 2,018 Android binary smart-
phone firmware images and extracted 3,500 AT commands.
In the LG G4 mobile phone firmware image, the AT com-
mand to bypass the lock screen (AT%KEYLOCK=0) and the
one to enable USB debugging (AT%USB=adb) were found.
Once the attacker has bypassed the lock screen by the KEY-
LOCK AT command, he could send touch events can to nav-
igate the phone which connected to the attacker’s computer
through a USB cable to open the developer mode (the com-
mand can also bypass the password authentication of devel-
oper mode), then send the USB debugging AT command.
To the authors’ best knowledge there is no better method
to bypass the lock screen with minimal permissions and a
high success rate. However, not every version of the Android
device provides the above two AT commands.
Juice filming attacks, a charging attack designed by
Meng et al. [17], can steal users’ information by automati-
cally taking videos, when they are interacting with the phones
during the charging process, without causing user awareness.
They use a VGA2USB interface which is connected to a com-
puter forming a malicious charger, and the computer then can
automatically video-capture user inputs when the phone is
connected to the charger. By contrast, Salaxy uses an easier
model to construct the attack process, not only to record infor-
mation as the Juice filming attack does, but also to simulate
users’ operation.
VII. CONCLUSION
This paper presents an approach to attack Android-based
devices by running JavaScript scripts to turn on USB debug-
ging mode. This method can bypass the security mechanism
of USB debugging mode and obtain ADB connection autho-
rization without the user’s authorization. It can also bypass
the alerts that ADB Action Monitor displays when sensitive
VOLUME 7, 2019
behaviors are detected. With this method, we designed and
implemented a proof of concept application called Salaxy,
which is composed of Auto.js and Scrcpy. Then, we demon-
strate the effectiveness of Salaxy on three different brands
and models of Android smartphones. The results show that
Salaxy can remotely monitor and control Android devices in
real time, allowing the attacker to manipulate the phone.
Today, people rely heavily on smartphones, which carry
much work information and personal private data and have
a very high correlation with personal property. The security
risks of USB debugging undoubtedly threaten the security
of smartphone users. Some measures have to be taken to
enhance the security of USB debugging mode. In addition,
other Android-based electronic devices, such as smart TVs
(discussed in Section V-A), also need to strengthen the secu-
rity of USB debugging mode.
ACKNOWLEDGMENT
The authors would like to sincerely thank all the reviewers
for your time and expertise on this article. your insightful
comments help us improve this work.
REFERENCES
[1] Z. Tian, W. Shi, Y. Wang, C. Zhu, X. Du, S. Su, Y. Sun, and N. Guizani,
‘‘Real-time lateral movement detection based on evidence reasoning net-
work for edge computing environment,’’ IEEE Trans. Ind. Informat.,
vol. 15, no. 7, pp. 4285–4294, Jul. 2019.
[2] Z. Tian, C. Luo, J. Qiu, X. Du, and M. Guizani, ‘‘A distributed deep
learning system for Web attack detection on edge devices,’’ IEEE Trans.
Ind. Informat., to be published, doi: 10.1109/TII.2019.2938778.
[3] X. Du and H. H. Chen, ‘‘Security in wireless sensor networks,’’ IEEE
Wireless Commun. Mag., vol. 15, no. 4, pp. 60–66, Aug. 2008.
[4] X. Du, Y. Xiao, M. Guizani, and H.-H. Chen, ‘‘An effective key manage-
ment scheme for heterogeneous sensor networks,’’ Ad Hoc Netw., vol. 5,
no. 1, pp. 24–34, 2007.
[5] Z. Tian, X. Gao, S. Su, and J. Qiu, ‘‘Vcash: A novel reputation
framework for identifying denial of traffic service in Internet of con-
nected vehicles,’’ IEEE Internet Things J., to be published, doi: 10.
1109/JIOT.2019.2951620.
[6] Y. Xiao, V. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, ‘‘A survey
of key management schemes in wireless sensor networks,’’ J. Comput.
Commun., vol. 30, nos. 11–12, pp. 2314–2341, Sep. 2007.
[7] Z. Tian, X. Gao, S. Su, J. Qiu, X. Du, and M. Guizani, ‘‘Evaluating repu-
tation management schemes of Internet of vehicles based on evolutionary
game theory,’’ IEEE Trans. Veh. Technol., vol. 68, no. 6, pp. 5971–5980,
Jun. 2019.
[8] Z. Tian, M. Li, M. Qiu, Y. Sun, and S. Su, ‘‘Block-DEF: A secure digital
evidence framework using blockchain,’’ Inf. Sci., vol. 491, pp. 151–165,
Jul. 2019, doi: 10.1016/j.ins.2019.04.011.
[9] R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and
X. Wang, ‘‘Soundcomber: A stealthy and context-aware sound trojan for
smartphones,’’ in Proc. NDSS, vol. 11, 2011, pp. 17–33.
[10] L. Cai and H. Chen, ‘‘TouchLogger: Inferring keystrokes on touch screen
from smartphone motion,’’ HotSec, vol. 11, no. 2011, p. 9, 2011.
[11] Zdnet. Almost 150 Million Users Impacted by New SimBad
Android Adware. Accessed: Apr. 2019. [Online]. Available:
https://www.zdnet.com/article/almost-150-million-users-impacted-
by-new-simbad-android-adware/
[12] Wikipedia. Malwarebytes (software). Accessed: Apr. 2019. [Online].
Available: https://en.wikipedia.org/wiki/Malwarebytes_(software)
[13] A. G. Villan and J. Jorba, ‘‘Remote control of mobile devices in
Android platform,’’ Oct. 2013, arXiv:1310.5850. [Online]. Available:
https://arxiv.org/abs/1310.5850
[14] S. Hwang, S. Lee, and Y. Kim, ‘‘Bittersweet ADB: Attacks and
defenses,’’ in Proc. 10th ACM Symp. Inf., Comput. Commun. Secur., 2015,
pp. 579–584.
178329
 H. Lu et al.: Salaxy: Enabling USB Debugging Mode Automatically to Control Android Devices

[15] F. Liu. Windows Malware Attempts to Infect Android Devices. XIAOHAN HELU received the B.E. degree in
Accessed: Apr. 2019. [Online]. Available: http://www.symantec.com/ computer science and technology from the Bei-
connect/blogs/windows-malware-attempts-infect-android-devices jing University of Posts and Telecommunications,
[16] J. Amarante and J. P. Barros, ‘‘Exploring USB connection vulnerabilities Beijing, China, in 2017. She is currently pursu-
on Android devices breaches using the Android debug bridge,’’ in Proc. ing the M.S. degree with the Cyberspace Institute
14th Int. Joint Conf. E-Bus. Telecommun. (ICETE), 2017, pp. 572–577. of Advanced Technology, Guangzhou University,
[17] W. Meng, W. H. Lee, and S. R. Murali, ‘‘Charging me and I know your
Guangzhou, China. Her research interests include
secrets!: Towards juice filming attacks on smartphones,’’ in Proc. 1st
cyberspace security, mobile smart terminal secu-
ACM Workshop Cyber-Phys. Syst. Secur., 2015, pp. 89–98.
[18] L. Yang, L. Wang, and D. Zhang, ‘‘Malicious behavior analysis of rity, and intelligent attack-defense.
Android GUI based on ADB,’’ in Proc. IEEE Int. Conf. Comput. Sci.
Eng. (CSE) IEEE Int. Conf. Embedded Ubiquitous Comput. (EUC), vol. 2,
Jul. 2017, pp. 147–153.
[19] Nikolay Elenkov. Secure USB debugging in Android 4.2.2.
Accessed: Apr. 2019. [Online]. Available: https://nelenkov.blogspot.
com/2013/02/secure-usb-debugging-in-android-422.html
[20] Android Debug Bridge (ADB). Accessed: Apr. 2019. [Online]. Available: CHENGJIE JIN received the B.E. degree in com-
https://developer.android.com/studio/command-line/adb puter science and technology from Chang’an Uni-
[21] M. Xu, W. Sun, and M. Alam, ‘‘Security enhancement of secure USB versity, in 2018. He is currently pursuing the M.S.
debugging in Android system,’’ in Proc. 12th Annu. IEEE Consum. Com- degree with the Cyberspace Institute of Advanced
mun. Netw. Conf. (CCNC), Jan. 2015, pp. 134–139 Technology, Guangzhou University, Guangzhou,
[22] D. J. Tian, G. Hernandez, and J. I. Choi, ‘‘ATtention spanned: Com- China. His research interests include cyberspace
prehensive vulnerability analysis of AT commands within the Android
security, mobile smart terminal security, and intel-
ecosystem,’’ in Proc. 27th USENIX Secur. Symp., 2018, pp. 273–290.
[23] Accessibility Service. Accessed: Apr. 2019. [Online]. Available:
ligent attack-defense.
https://developer.android.com/reference/android/accessibilityservice/A
ccessibilityService.
[24] Auto.js. hyb1996. Accessed: May 2019. [Online]. Available:
https://github.com/hyb1996/Auto.js
[25] Scrcpy (v1.10). Genymobile. Accessed: Apr. 2019. [Online]. Available:
https://github.com/Genymobile/scrcpy
[26] Z. Tian, S. Su, W. Shi, X. Du, M. Guizani, and X. Yu, ‘‘A data-driven YANBIN SUN received the B.S., M.S., and Ph.D.
method for future Internet route decision modeling,’’ Future Gener. Com- degrees in computer science from the Harbin Insti-
put. Syst., vol. 95, pp. 212–220, Sep. 2019. tute of Technology (HIT), Harbin, China. From
[27] J. Qiu, L. Du, D. Zhang, S. Su, and Z. Tian, ‘‘Nei-TTE: Intelligent traf- 2016 to 2018, he was with Jinan University. He is
fic time estimation based on fine-grained time derivation of road seg-
currently an Associate Professor with Guangzhou
ments for smart city,’’ IEEE Trans. Ind. Informat., to be published, doi:
University, China. His research interests include
10.1109/TII.2019.2943906.
[28] Y. Xiao, X. Du, J. Zhang, and S. Guizani, ‘‘Internet protocol television network security, future networking, and scalable
(IPTV): The killer application for the next generation Internet,’’ IEEE routing.
Commun. Mag., vol. 45, no. 11, pp. 126–134, Nov. 2007.
[29] J. Tian, N. Scaife, D. Kumar, M. Bailey, A. Bates, and K. Butler,
‘‘SoK: ‘Plug & Pray’ Today—Understanding USB insecurity in versions
1 through C,’’ in Proc. IEEE Symp. Secur. Privacy (SP), May 2018,
pp. 1032–1047.
[30] K. Opasiak and W. Mazurczyk, ‘‘Secure Android debugging: Security-
analysis and lessons learned,’’ Comput. Secur., vol. 82, pp. 80–98, 2019, MAN ZHANG received the B.E. and M.S. degrees
doi: 10.1016/j.cose.2018.12.010. from Southwest Jiaotong University, Chengdu,
[31] Q. Tan, Y. Gao, J. Shi, X. Wang, B. Fang, and Z. Tian, ‘‘Toward a com-
China, in 2003 and 2006, respectively. From
prehensive insight into the eclipse attacks of Tor hidden services,’’ IEEE
2008 to 2018, she was with SafEngServices and
Internet Things J., vol. 6, no. 2, pp. 1584–1593, Apr. 2019.
Technologies Ltd., China. She is currently an Engi-
neer with the Peng Cheng Laboratory. Her cur-
rent research interests include data mining and
cyberspace security simulation. She is also a mem-
ber of the China Computer Federation.

HUI LU received the B.E. degree in electronic sci-

ence and technology and the M.S. degree in optical
engineering from Southwest Jiaotong University,
Chengdu, China, in 2003 and 2006, respectively,
and the Ph.D. degree in electromagnetic field and
microwave technology from the Beijing University
of Posts and Telecommunications, Beijing, China,
in 2010. He was a Research Associate with the
Institute of Microelectronics, Chinese Academy
of Sciences, China, from 2010 to 2017. In 2017,
he joined Guangzhou University, Guangzhou, China, where he is currently
an Associate Professor with the Cyberspace Institute of Advanced Technol-
ogy. His research interests include cyberspace security and intelligent attack-
defense.
ZHIHONG TIAN received the Ph.D. degree from
the Harbin Institute of Technology. From 2003 to
2016, he was with the Harbin Institute of Technol-
ogy. He is currently a Professor, a Ph.D. Supervi-
sor, and the Dean of the Cyberspace Institute of
Advanced Technology, Guangzhou University. His
current research interests include computer net-
works and network security. He is also a member
of the China Computer Federation and the Stand-
ing Director of the Cyber Security Association of
China.

178330 VOLUME 7, 2019