Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authors Roman Schlegel Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Soundcomber : A Stealthy and Context-Aware Sound Trojan for.

Published byBertina May Modified over 7 years ago

Similar presentations

Presentation on theme: "Authors Roman Schlegel Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Soundcomber : A Stealthy and Context-Aware Sound Trojan for."— Presentation transcript:

1 Authors Roman Schlegel Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Soundcomber : A Stealthy and Context-Aware Sound Trojan for Smartphones Presentation by Bill Bouillon Computer Engineering Ph. D. Candidate

2 Outline Problem Basic Idea Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Strengths/Weaknesses Conclusion

3 Problem Full-fledged computing platforms The plague of data-stealing malwaredata-stealing malware  Sensory malware, ex : video camera, microphone video camera Security protections  Java virtual machines on Android  Anti-virus  Control installing un-trusted software Limitations  Context of phone conversation is predictable and fingerprinted  Built-in covert channel

4 Basic Idea Main goal :  Extract a small amount of high-value private data from phone conversations and transmit it to a malicious party Major contributions :  Targeted, context-aware information discovery from sound recordings  Stealthy data transmission  Implementation and evaluation  Defensive architecture

5 Overview Assumptions  work under limited privileges Architectural overview

6 Credit Card Theft Scenario Call is recorded and analyzed Profile database uses state machine of IVR  Inputs from user create state machine  Target specific regions of audio for Credit Card Number Transmitted by :  Web browser  Covert channel

7 Context-Aware Information Collection ( 1/7 ) monitor the phone state identify, record, analysis, extract 1.Audio recording 2.Audio processing 3.Targeted data extraction using profiles

8 Context-Aware Information Collection ( 2/7 ) 1. Audio recording  When to record  Whenever the user initiates a phone call  Recording in the background  Determining the number called  intercept outgoing phone calls / read contact data  the first segment compare with keywords in database  relevant, non-overlapping keywords  minimize necessary permissions

9 Context-Aware Information Collection ( 3/7 ) 2. Audio processing  decode file  speech/tone recognition  speech/tone extraction

10 Context-Aware Information Collection ( 4/7 ) a) tone recognition  DTMF ( dual-tone multi-frequency ) DTMF  signaling channel to inform mobile phone network of the pressed key  aural feedback leaks to side-channel  Goertzel’s algorithm Goertzel’s algorithm

11 Context-Aware Information Collection ( 5/7 ) b. Speech recognition  Google service : speech recognition functionality  PocketSphinx  Segmentation --- contain speech

12 Context-Aware Information Collection ( 6/7 ) 3. Targeted data extraction using profiles  focus on IVRs ( Interactive Voice Response system )  Phone menus  based on predetermined profiles

13 Context-Aware Information Collection ( 7/7 )  general profiles  Speech signatures  Sequence detection  Speech characteristics

14 Stealthy Data Transmission Processing centrally isn’t ideal No local processing on 1 minute recording → 94KB Credit card number → 16 bytes Legitimate, existing application with network access A paired Trojan application with network access and communication through covert channel

15 Leveraging third-party applications Permission mechanism only restricts individual application  Ex : using browser open URL http : // target ? number=N drawback : more noticeable due to “foreground”  Ads to cover

16 Covert channels with paired Trojans ( 1/4 ) paired Trojans : Soundcomber, Deliverer Installation of paired Trojan applications  Pop-up ad.  Packaged app. Covert channels on the smartphone  Vibration settings  Volume settings  Screen  File locks

17 Covert channels with paired Trojans ( 2/4 )  Vibration settings  any application can change the vibration settings  communication channel : every time the setting is changed, the system sends a notification to interested applications  saving and restoring original settings at opportune times  no permissions needed  not leave any traces

18 Covert channels with paired Trojans ( 3/4 )  Volume settings  not automatically broadcasted  set and check the volume alternatively  miss a window  Screen  invisible visible channel  covert channel : screen settings  prevent the screen from actually turning on  permission WAKE_LOCK

19 Covert channels with paired Trojans ( 4/4 )  File locks  exchange information through competing for a file lock  signaling files, S 1,……,S m  one data file  S 1 ~S m/2 for Soundcomber, S m/2+1 ~S m for Deliverer

20 Defense Architecture add a context-sensitive reference monitor to control the AudioFlinger service AudioFlinger block all applications from accessing the audio data when a sensitive call is in progress Reference Service RIL ( radio interface layer )  enter/leave a sensitive state Controller  Embedded in the AudioFlinger service  Exclusive Mode / Non-Exclusive Mode

21 Evaluation ( 1/6 ) Environment  Credit-card number from online automatic generator  Software information in paper  Wi-Fi Service hotline detection  Important to minimize false positives  5 different service hotlines of financial institutions tested  4 samples and then extracted keywords to build database profile  20 simulated normal phone calls

22 Evaluation ( 2/6 ) Tone recognition  20 samples of phone conversation  Outcome of recognition compared with the real digits Speech recognition  Analyzed 60 recordings of simulated calls  20 samples from 3 test subjects  Outcome of recognition compared with the real digits Profile-based data discovery  2 profiles using service hotlines created  20 calls followed a script for each hotline  Allowed to deviate from script

23 Evaluation ( 3/6 ) Covert channel study  Bits per second determines length of transmission  55 byte messages ran through different channels Reference monitor  Changes made to AudioFlinger  Compiled to modified Android OS  Installed onto an Android HTC developer phone

24 Evaluation ( 4/6 ) Effectiveness  Service hotline detection  Correctly identified 55% of hotlines  0% false positive rate on normal conversations  Speech recognition  Identified 55% of credit card numbers correctly  Identified 20% of number with one digit wrong or missing  Tone recognition  Identified 85% of credit card numbers correctly  Other 15% only had a one digit error  Detection by anti-virus application  VirusGuard and SMobile Systems did not detect Soundcomber as malware

25 Evaluation ( 5/6 ) Performance  Service hotline detection  First segment average length = 6.1 s  Recognition of hotline average = 34.6 s  Tone/speech recognition

26 Evaluation ( 6/6 ) Performance  Covert channels  File-locking = 685 bps  Volume = 150 bps  Vibration = 87 bps  Screen-setting = 5.29 bps  Reference monitor  During sensitive call, 4.27 ms delay to controller  During non-sensitive call, 0.90 ms delay  0.85% of time spent in controller

27 Strengths Low cost on phone  Power  Data transmission Speed  Memory Multiple avenues of attack Little to no alert to user

28 Weaknesses Installation of malware Requires two applications Requires access to microphone Analysis during wrong time may alert user Strict coordination involved for some methods

29 Conclusion Soundcomber effectively uses covert-channels and innocuous permissions to leak sensitive information More defensive research needed on sensory data stealing Highlighted the threat of stealthy sensory malware

30 Questions and Discussion

Download ppt "Authors Roman Schlegel Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Soundcomber : A Stealthy and Context-Aware Sound Trojan for."

Similar presentations

Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.

Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.
Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.

Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Using Motion Detection, Alerts and Alarms

Using Motion Detection, Alerts and Alarms
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
Trojan Virus Presented by Andy Lindberg & Denver Bohling.

Trojan Virus Presented by Andy Lindberg & Denver Bohling.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
1 Introduction to Security Chapter 11 Information Technology (IT) Security.

1 Introduction to Security Chapter 11 Information Technology (IT) Security.
THREATS TO MOBILE NETWORK SECURITY

THREATS TO MOBILE NETWORK SECURITY
Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Similar presentations

Ads by Google