This work addresses covert UI spoofing attacks in social virtual reality (VR) platforms—a previously unexplored threat. We systematically define and empirically uncover four novel spoofing paradigms, wherein attackers forge immersive virtual interfaces to induce users to perform malicious actions unknowingly. We implement and evaluate proof-of-concept attacks on VRChat, validated via a 30-participant IRB-approved user study, achieving an average spoofing success rate exceeding 73%. To counter this threat, we propose MetaScanner: a lightweight, real-time detection framework integrating dynamic Unity script analysis, heuristic object-behavior modeling, and a client-side scanning engine. MetaScanner achieves sub-3-second detection latency, 91.4% accuracy, and a false positive rate below 5.2%. To our knowledge, this is the first systematic study of UI spoofing in social VR environments and the first deployable defense solution for such threats—establishing a new paradigm for real-time security analysis in immersive virtual worlds.

Social Virtual Reality (VR) platforms have surged in popularity, yet their security risks remain underexplored. This paper presents four novel UI attacks that covertly manipulate users into performing harmful actions through deceptive virtual content. Implemented on VRChat and validated in an IRB-approved study with 30 participants, these attacks demonstrate how deceptive elements can mislead users into malicious actions without their awareness. To address these vulnerabilities, we propose MetaScanner, a proactive countermeasure that rapidly analyzes objects and scripts in virtual worlds, detecting suspicious elements within seconds.