Skip to main content
SpringerLink
Log in

Quantifying and Classifying Covert Communications on Android

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

By exploiting known covert channels, Android applications today are able to bypass the built-in permission system and share data in a potentially untraceable manner. These channels have sufficient bandwidth to transmit sensitive information, such as GPS locations, in real-time to collaborating applications with Internet access. In this paper, we extend previous work involving an application layer covert communications detector. We measure the stability of the volume and vibration channels on the Android emulator, HTC G1, and Motorola Droid. In addition, we quantify the effect that our detector has on channel capacities for stealthy malicious applications using a theoretical model. Lastly, we introduce a new classification of covert and overt communication for the Android platform.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. For more details on Android security, see Enck et al. [10].

  2. Many settings live in native code drivers, such as the media volume and vibration settings.

  3. Our preliminary investigation found that virtually none of these settings were changed by popular applications in the Android Market. Thus, malicious applications would not have to worry about overcrowded settings channels.

  4. Applications are currently able to mark their own files on internal storage as world readable/writable, which we see as potential security hole.

  5. Where m > (b − 1)q(n − 1)

References

  1. Damopoulos D, Kambourakis G, Gritzalis S (2013) From keyloggers to touchloggers: Take the rough with the smooth. Comput Sec 32(0):102–114. doi:10.1016/j.cose.2012.10.002. http://www.sciencedirect.com/science/article/pii/S0167404812001654

    Google Scholar 

  2. Android (2012) Settings system. http://developer.android.com/reference/android/provider/Settings.System.html

  3. Barrera D, Kayacik H, van Oorschot P, Somayaji A (2010) A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM conference on computer and communications security. ACM, pp 73–84

  4. Blasing T, Batyuk L, Schmidt AD, Camtepe S, Albayrak S (2010) An android application sandbox system for suspicious software detection. In: 2010 5th International conference on malicious and unwanted software (MALWARE), pp 55–62. doi:10.1109/MALWARE.2010.5665792

  5. Bugiel S, Davi L, Dmitrienko A, Fischer T, Sadeghi A (2011) Xmandroid: A new android evolution to mitigate privilege escalation attacks, Security

  6. Damopoulos D, Menesidou SA, Kambourakis G, Papadaki M, Clarke N, Gritzalis S (2012) Evaluation of anomaly-based ids for mobile devices using machine learning classifiers. Secur Commun Networks 5(1):3–14. doi:10.1002/sec.341

    Article  Google Scholar 

  7. Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach D (2011) Quire: lightweight provenance for smart phone operating systems. In: USENIX security

  8. Dini G, Martinelli F, Saracino A, Sgandurra D (2012) Madam: a multi-level anomaly detector for android malware. In: Proceedings of the 6th international conference on mathematical methods, models and architectures for computer network security: computer network security, MMM-ACNS’12. Springer-Verlag, Berlin, pp 240–253. doi:10.1007/978-3-642-33704-821

    Google Scholar 

  9. Enck W, Gilbert P, Chun B, Cox L, Jung J, McDaniel P, Sheth A (2010) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX conference on operating systems design and implementation, USENIX Association, pp 1–6

  10. Enck W, Ongtang M, McDaniel P (2009) Understanding android security. IEEE Secur Privacy 7(1):50–57

    Article  Google Scholar 

  11. Gianvecchio S, Wang H (2007) Detecting covert timing channels: an entropy-based approach. In: Proceedings of the 14th ACM conference on computer and communications security. ACM, pp 307–316

  12. Hansen M, Hill R, Wimberly S (2012) Detecting covert communication on android. In: IEEE local computer networks 2012 conference

  13. Holloway R (2010) Covert dcf-a dcf-based covert timing channel in 802.11 networks

  14. Kemmerer R (1983) Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Trans Comput Syst (TOCS) 1(3):256–277

    Article  Google Scholar 

  15. Kemmerer R (2002) A practical approach to identifying storage and timing channels: twenty years later. In: 18th Annual computer security applications conference, 2002. Proceedings. IEEE, pp 109–118

  16. Lampson B (1973) A note on the confinement problem. Commun ACM 16(10):613–615

    Article  Google Scholar 

  17. Mulliner C, Vigna G, Dagon D, Lee W (2006) Using labeling to prevent cross-service attacks against smart phones. Detect Intrusions Malware Vulnerability Assess: 91–108

  18. Ongtang M, McLaughlin S, Enck W, McDaniel P (2009) Semantically rich application-centric security in android. In: Annual computer security applications conference, 2009. ACSAC’09. IEEE pp 340–349

  19. Schlegel R, Zhang K, Zhou X, Intwala M, Kapadia A, Wang X (2011) Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: Proceedings of the network and distributed system security symposium

  20. Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y (2012) Andromaly: a behavioral malware detection framework for android devices. J Intell Inf Syst 38(1):161–190. doi:10.1007/s10844-010-0148-x

    Article  Google Scholar 

  21. Wang Z, Lee R (2005) New constructive approach to covert channel modeling and channel capacity estimation. Inf Secur: 498–505

  22. Wray J (1991) An analysis of covert timing channels. In: Proceedings IEEE computer society symposium on research in security and privacy, 1991. IEEE, pp 2–7

  23. Yan LK, Yin H (2012) Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX conference on security symposium, Security’12. USENIX Association, Berkeley, pp 29–29. http://dl.acm.org/citation.cfm?id=2.3627932362822

    Google Scholar 

  24. Zhou Y, Zhang X, Jiang X, Freeh VW (2011) Taming information-stealing smartphone applications (on android). In: Proceedings of the 4th international conference on trust and trustworthy computing, TRUST’11. Springer-Verlag, Berlin, pp 93–107. http://dl.acm.org/citation.cfm?id=2.0222452022255

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Indiana University, Bloomington, US

    Raquel Hill, Michael Hansen & Veer Singh

Authors
  1. Raquel Hill
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Hansen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Veer Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raquel Hill.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Hill, R., Hansen, M. & Singh, V. Quantifying and Classifying Covert Communications on Android. Mobile Netw Appl 19, 79–87 (2014). https://doi.org/10.1007/s11036-013-0482-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-013-0482-7

Keywords

Search

Navigation