Wenrui Diao
ABSTRACT
Previous research about sensor based attacks on Android platform focused mainly on accessing or controlling over sensitive components, such as camera, microphone and GPS. These approaches obtain data from sensors directly and need corresponding sensor invoking permissions.
This paper presents a novel approach (GVS-Attack) to launch permission bypassing attacks from a zero-permission Android application (VoicEmployer) through the phone speaker. The idea of GVS-Attack is to utilize an Android system built-in voice assistant module -- Google Voice Search. With Android Intent mechanism, VoicEmployer can bring Google Voice Search to foreground, and then plays prepared audio files (like "call number 1234 5678") in the background. Google Voice Search can recognize this voice command and perform corresponding operations. With ingenious design, our GVS-Attack can forge SMS/Email, access privacy information, transmit sensitive data and achieve remote control without any permission. Moreover, we found a vulnerability of status checking in Google Search app, which can be utilized by GVS-Attack to dial arbitrary numbers even when the phone is securely locked with password.
A prototype of VoicEmployer has been implemented to demonstrate the feasibility of GVS-Attack. In theory, nearly all Android (4.1+) devices equipped with Google Services Framework can be affected by GVS-Attack. This study may inspire application developers and researchers to rethink that zero permission doesn't mean safety and the speaker can be treated as a new attack surface.
- Android Developers. Common Intents. http://developer:android:com/guide/components/intents-common:html.Google Scholar
- Android Developers. Intent. http://developer:android:com/reference/android/content/Intent:html.Google Scholar
- Android Developers. Platform versions. https://developer:android:com/about/dashboards/index:html#Platform.Google Scholar
- Android Developers. RecognizerIntent. http://developer:android:com/reference/android/speech/RecognizerIntent:html.Google Scholar
- Android Developers. TextToSpeech. http://developer:android:com/reference/android/speech/tts/TextToSpeech:html.Google Scholar
- AOSP. HeadsetStateMachine. https://android:googlesource:com/platform/packages/apps/Bluetooth/.Google Scholar
- AOSP. Telephony. https://android:googlesource:com/platform/packages/services/Telephony/.Google Scholar
- Apple. Siri. http://www:apple:com/ios/siri/.Google Scholar
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217--228. ACM, 2012. Google ScholarDigital Library
- A. J. Aviv, B. Sapp, M. Blaze, and J. M. Smith. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 41--50. ACM, 2012. Google ScholarDigital Library
- H. Beigi. Fundamentals of speaker recognition. Springer, 2011. Google ScholarDigital Library
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In 19th Annual Network & Distributed System Security Symposium (NDSS), volume 17, pages 18--25, 2012.Google Scholar
- L. Cai and H. Chen. Touchlogger: inferring keystrokes on touch screen from smartphone motion. In Proceedings of the 6th USENIX conference on Hot topics in security, pages 9--9. USENIX Association, 2011. Google ScholarDigital Library
- P. P. Chan, L. C. Hui, and S.-M. Yiu. Droidchecker: analyzing android applications for capability leak. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, pages 125--136. ACM, 2012. Google ScholarDigital Library
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239--252. ACM, 2011. Google ScholarDigital Library
- A. Clark, C. Fox, and S. Lappin. The handbook of computational linguistics and natural language processing, volume 57. John Wiley & Sons, 2010.Google Scholar
- CyanogenMod. Google Apps. http://wiki:cyanogenmod:org/w/Google_Apps.Google Scholar
- A. Das, N. Borisov, and M. Caesar. Do you hear what I hear? fingerprinting smart devices through embedded acoustic components. In (To appear) Proceedings of the 2014 ACM conference on Computer and communications security. ACM, 2014. Google ScholarDigital Library
- L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Information Security, pages 346--360. Springer, 2011. Google ScholarDigital Library
- S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi. Accelprint: Imperfections of accelerometers make smartphones trackable. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS, 2014.Google ScholarCross Ref
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, volume 10, pages 1--6, 2010. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
- A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, page 3. ACM, 2012. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- H. W. Gellersen, A. Schmidt, and M. Beigl. Multi-sensor context-awareness in mobile devices and smart artifacts. Mobile Networks and Applications, 7(5):341--351, 2002. Google ScholarDigital Library
- Google. Google Apps for Android. https://www:google:com/mobile/android/.Google Scholar
- Google. Use your voice on Android. https://support:google:com/websearch/answer/2940021?hl=en&ref_topic=4409793.Google Scholar
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, 2012.Google Scholar
- C. Hadnagy. Social engineering: The art of human hacking. John Wiley & Sons, 2010.Google Scholar
- R. Hasan, N. Saxena, T. Haleviz, S. Zawoad, and D. Rinehart. Sensing-enabled channels for hard-to-detect command and control of mobile devices. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 469--480. ACM, 2013. Google ScholarDigital Library
- C. Hurtley. Night noise guidelines for Europe. WHO Regional Office Europe, 2009.Google Scholar
- IDC. Worldwide smartphone shipments edge past 300 million units in the second quarter; android and ios devices account for 96% of the global market, according to IDC. http://www:idc:com/getdoc:jsp?containerId=prUS25037214, August, 2014.Google Scholar
- D. Kantola, E. Chin, W. He, and D. Wagner. Reducing attack surfaces for intra-application communication in android. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 69--80. ACM, 2012. Google ScholarDigital Library
- Kaspersky Lab. Kaspersky security bulletin 2013. http://media:kaspersky:com/pdf/KSB_2013_EN:pdf, December 2013.Google Scholar
- Y.-S. Lee and S.-B. Cho. Activity recognition using hierarchical hidden markov models on a smartphone with 3d accelerometer. In Hybrid Artificial Intelligent Systems, pages 460--467. Springer, 2011. Google ScholarDigital Library
- Microsoft. Cortana. http://www:windowsphone:com/en-us/features#Cortana.Google Scholar
- Motorola. How do I setup and use touchless control?https://motorola-global-portal:custhelp:com/app/answers/prod_answer_detail/a_id/94881/p/30;6720;8696/action/auth.Google Scholar
- Motorola. Touchless Control. http://www:motorola:com/us/Moto-XFeatures-Touchless-Control/motoxfeatures-2-touchless:html.Google Scholar
- A. Muzet. Environmental noise, sleep and health. Sleep medicine reviews, 11(2):135--142, 2007.Google Scholar
- E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. Accessory: password inference using accelerometers on smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, page 9. ACM, 2012. Google ScholarDigital Library
- Ponemon Institute. Smartphone security survey of U.S. consumers. http://aa-download:avg:com/filedir/other/Smartphone:pdf, March, 2011.Google Scholar
- S. Rosen and P. Howell. Signals and systems for speech and hearing, volume 29. BRILL, 2011.Google Scholar
- B. P. Rubin. Google previews "Android L" at I/O. http://www:besttechie:com/2014/06/25/google-previews-android-l-at-io/.Google Scholar
- Samsung. S Voice. http://www:samsung:com/global/galaxys3/svoice:html.Google Scholar
- J. Schalkwyk, D. Beeferman, F. Beaufays, B. Byrne, C. Chelba, M. Cohen, M. Kamvar, and B. Strope. "Your word is my command": Google search by voice: A case study. In Advances in Speech Recognition, pages 61--90. Springer, 2010.Google ScholarCross Ref
- R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proceedings of the 18st Annual Network and Distributed System Security Symposium, NDSS, 2011.Google Scholar
- L. Simon and R. Anderson. Pin skimmer: inferring pins through the camera and microphone. In Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices, pages 67--78. ACM, 2013. Google ScholarDigital Library
- A. Smith. Americans and their cell phones. Pew Internet & American Life Project, 15, 2011.Google Scholar
- R. Templeman, Z. Rahman, D. Crandall, and A. Kapadia. PlaceRaider: Virtual theft in physical spaces with smartphones. In Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS, 2013.Google Scholar
- VB-Audio Software. VB-Audio Virtual Cable. http://vb-audio:pagesperso-orange:fr/Cable/.Google Scholar
- Wikipedia. Sound pressure. http://en:wikipedia:org/wiki/Sound_pressure.Google Scholar
- L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang. The impact of vendor customizations on android security. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 623--634. ACM, 2013. Google ScholarDigital Library
- L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Security Symposium, 2012. Google ScholarDigital Library
- X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang. The peril of fragmentation: Security hazards in android device driver customizations. In Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 2014. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 95--109. IEEE, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, pages 5--8, 2012.Google Scholar
- Z. Zhou, W. Diao, X. Liu, and K. Zhang. Acoustic fingerprinting revisited: Generate stable device id stealthily with inaudible sound. In (To appear) Proceedings of the 2014 ACM conference on Computer and communications security. ACM, 2014. Google ScholarDigital Library
Index Terms
- Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone
Recommendations
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityAndroid platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityDynamic revocation of permissions of installed Android applications has been gaining popularity, because of the increasing concern of security and privacy in the Android platform. However, applications often crash or misbehave when their permissions are ...
App in the Middle: Demystify Application Virtualization in Android and its Security Threats
Customizability is a key feature of the Android operating system that differentiates it from Apple's iOS. One concrete feature that gaining popularity is called "app virtualization''. This feature allows multiple copies of the same app to be installed ...
Comments