Presentation is loading. Please wait.

Presentation is loading. Please wait.

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.

Published byCallie Steveson Modified over 9 years ago

Similar presentations

Presentation on theme: "Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM."— Presentation transcript:

1 Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM 2011 報告人:張逸文 Soundcomber : A Stealthy and Context-Aware Sound Trojan for Smartphones

2 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 2

3 Introduction ( 1/2 ) Full-fledged computing platforms The plague of data-stealing malwaredata-stealing malware  Sensory malware, ex : video camera, microphone video camera Security protections  Java virtual machines on Android  Anti-virus  Control installing un-trusted software Tow new observations  Context of phone conversation is predictable and fingerprinted  Built-in covert channel 3

4 Introduction ( 2/2 ) 4 Main goal :  Extract a small amount of high-value private data from phone conversations and transmit it to a malicious party Major contributions :  Targeted, context-aware information discovery from sound recordings  Stealthy data transmission  Implementation and evaluation  Defensive architecture

5 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 5

6 Overview ( 1/2 ) 6 Assumptions  work under limited privileges Architectural overview

7 Overview ( 2/2 ) 7 Video Demo. Video Demo 4392 2588 8888 8888

8 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 8

9 Context-Aware Information Collection ( 1/7 ) 9 monitor the phone state identify, record, analysis, extract 1.Audio recording 2.Audio processing 3.Targeted data extraction using profiles

10 Context-Aware Information Collection ( 2/7 ) 10 1. Audio recording  When to record  Whenever the user initiates a phone call  Recording in the background  Determining the number called  intercept outgoing phone calls / read contact data  the first segment compare with keywords in database  relevant, non-overlapping keywords  minimize necessary permissions

11 Context-Aware Information Collection ( 3/7 ) 11 2. Audio processing  decode file  speech/tone recognition  speech/tone extraction

12 Context-Aware Information Collection ( 4/7 ) 12 a) tone recognition  DTMF ( dual-tone multi-frequency ) DTMF  signaling channel to inform mobile phone network of the pressed key  aural feedback leaks to side-channel  Goertzel’s algorithm Goertzel’s algorithm

13 Context-Aware Information Collection ( 5/7 ) 13 b. Speech recognition  Google service : speech recognition functionality  PocketSphinx  Segmentation --- contain speech

14 Context-Aware Information Collection ( 6/7 ) 14 3. Targeted data extraction using profiles  focus on IVRs ( Interactive Voice Response system )  Phone menus  based on predetermined profiles

15 Context-Aware Information Collection ( 7/7 ) 15  general profiles  Speech signatures  Sequence detection  Speech characteristics

16 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 16

17 Stealthy Data Transmission 17 Processing centrally isn’t ideal No local processing on 1 minute recording → 94KB Credit card number → 16 bytes Legitimate, existing application with network access A paired Trojan application with network access and communication through covert channel

18 Leveraging third-party applications 18 Permission mechanism only restricts individual application  Ex : using browser open URL http : // target ? number=N drawback : more noticeable due to “foreground”  Ads to cover

19 Covert channels with paired Trojans ( 1/4 ) 19 paired Trojans : Soundminer, Deliverer Installation of paired Trojan applications  Pop-up ad.  Packaged app. Covert channels on the smartphone  Vibration settings  Volume settings  Screen  File locks

20 Covert channels with paired Trojans ( 2/4 ) 20  Vibration settings  any application can change the vibration settings  communication channel : every time the setting is changed, the system sends a notification to interested applications  saving and restoring original settings at opportune times  no permissions needed  not leave any traces

21 Covert channels with paired Trojans ( 3/4 ) 21  Volume settings  not automatically broadcasted  set and check the volume alternatively  3 bits per iteration  Sending at times  Reading at times  miss a window  Screen  invisible visible channel  covert channel : screen settings  prevent the screen from actually turning on  permission WAKE_LOCK

22 Covert channels with paired Trojans ( 4/4 ) 22  File locks  exchange information through competing for a file lock  signaling files, S 1,……,S m  one data file  S 1 ~S m/2 for Soundminer, S m/2+1 ~S m for Deliverer

23 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 23

24 Defense Architecture 24 add a context-sensitive reference monitor to control the AudioFinger service AudioFinger block all applications from accessing the audio data when a sensitive call is in progress Reference Service RIL ( radio interface layer )  enter/leave a sensitive state Controller  Embedded in the AudioFinger service  Exclusive Mode / Non-Exclusive Mode

25 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 25

26 Evaluation ( 1/2 ) 26 Experiment settings  Environment  Service hotline detection  Tone recognition  Speech recognition --- getrusage()getrusage()  Profile-based data discovery --- extracted high-value information  Cover channel study --- bandwidth in bits per second  Reference monitor

27 Evaluation ( 2/2 ) 27 Experiment results  Effectiveness  Service hotline detection  Tone/speech recognition Tone/speech recognition  Detection by anti-virus applications  Performance Performance

28 Outline Introduction Overview Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Discussion Conclusion 28

29 Discussion 29 Improvements on attack Defenses

30 Conclusion 30 Soundminer, innocuous permissions Defense on sensor data stealing Highlighted the threat of stealthy sensory malware

31 31 Thanks ~

32 Goertzel’s algorithm 32

33 Performance 33

Download ppt "Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM."

Similar presentations

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Alcatel Onetouch Antivirus. 2 Thinking about security on your smartphone Alcatel OneTouch? We have the solution. Among the applications on your smartphone,

1 Alcatel Onetouch Antivirus. 2 Thinking about security on your smartphone Alcatel OneTouch? We have the solution. Among the applications on your smartphone,
Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center 2014 www.know-center.at Security.

Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center Security.
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.

Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
An Evaluation of Traditional Phishing Vs Mobile Vishing https://imgur.com/gallery/6TL9R Jamie Burkinshaw Ethical Hacking 4 - 2013/14.

An Evaluation of Traditional Phishing Vs Mobile Vishing Jamie Burkinshaw Ethical Hacking /14.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
Trojan Virus Presented by Andy Lindberg & Denver Bohling.

Trojan Virus Presented by Andy Lindberg & Denver Bohling.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

Similar presentations

Ads by Google