Download presentation
Presentation is loading. Please wait.
Published byBertina May Modified over 8 years ago
1
Authors Roman Schlegel Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Soundcomber : A Stealthy and Context-Aware Sound Trojan for Smartphones Presentation by Bill Bouillon Computer Engineering Ph. D. Candidate
2
Outline Problem Basic Idea Context-Aware Information Collection Stealthy Data Transmission Defense Architecture Evaluation Strengths/Weaknesses Conclusion
3
Problem Full-fledged computing platforms The plague of data-stealing malwaredata-stealing malware Sensory malware, ex : video camera, microphone video camera Security protections Java virtual machines on Android Anti-virus Control installing un-trusted software Limitations Context of phone conversation is predictable and fingerprinted Built-in covert channel
4
Basic Idea Main goal : Extract a small amount of high-value private data from phone conversations and transmit it to a malicious party Major contributions : Targeted, context-aware information discovery from sound recordings Stealthy data transmission Implementation and evaluation Defensive architecture
5
Overview Assumptions work under limited privileges Architectural overview
6
Credit Card Theft Scenario Call is recorded and analyzed Profile database uses state machine of IVR Inputs from user create state machine Target specific regions of audio for Credit Card Number Transmitted by : Web browser Covert channel
7
Context-Aware Information Collection ( 1/7 ) monitor the phone state identify, record, analysis, extract 1.Audio recording 2.Audio processing 3.Targeted data extraction using profiles
8
Context-Aware Information Collection ( 2/7 ) 1. Audio recording When to record Whenever the user initiates a phone call Recording in the background Determining the number called intercept outgoing phone calls / read contact data the first segment compare with keywords in database relevant, non-overlapping keywords minimize necessary permissions
9
Context-Aware Information Collection ( 3/7 ) 2. Audio processing decode file speech/tone recognition speech/tone extraction
10
Context-Aware Information Collection ( 4/7 ) a) tone recognition DTMF ( dual-tone multi-frequency ) DTMF signaling channel to inform mobile phone network of the pressed key aural feedback leaks to side-channel Goertzel’s algorithm Goertzel’s algorithm
11
Context-Aware Information Collection ( 5/7 ) b. Speech recognition Google service : speech recognition functionality PocketSphinx Segmentation --- contain speech
12
Context-Aware Information Collection ( 6/7 ) 3. Targeted data extraction using profiles focus on IVRs ( Interactive Voice Response system ) Phone menus based on predetermined profiles
13
Context-Aware Information Collection ( 7/7 ) general profiles Speech signatures Sequence detection Speech characteristics
14
Stealthy Data Transmission Processing centrally isn’t ideal No local processing on 1 minute recording → 94KB Credit card number → 16 bytes Legitimate, existing application with network access A paired Trojan application with network access and communication through covert channel
15
Leveraging third-party applications Permission mechanism only restricts individual application Ex : using browser open URL http : // target ? number=N drawback : more noticeable due to “foreground” Ads to cover
16
Covert channels with paired Trojans ( 1/4 ) paired Trojans : Soundcomber, Deliverer Installation of paired Trojan applications Pop-up ad. Packaged app. Covert channels on the smartphone Vibration settings Volume settings Screen File locks
17
Covert channels with paired Trojans ( 2/4 ) Vibration settings any application can change the vibration settings communication channel : every time the setting is changed, the system sends a notification to interested applications saving and restoring original settings at opportune times no permissions needed not leave any traces
18
Covert channels with paired Trojans ( 3/4 ) Volume settings not automatically broadcasted set and check the volume alternatively miss a window Screen invisible visible channel covert channel : screen settings prevent the screen from actually turning on permission WAKE_LOCK
19
Covert channels with paired Trojans ( 4/4 ) File locks exchange information through competing for a file lock signaling files, S 1,……,S m one data file S 1 ~S m/2 for Soundcomber, S m/2+1 ~S m for Deliverer
20
Defense Architecture add a context-sensitive reference monitor to control the AudioFlinger service AudioFlinger block all applications from accessing the audio data when a sensitive call is in progress Reference Service RIL ( radio interface layer ) enter/leave a sensitive state Controller Embedded in the AudioFlinger service Exclusive Mode / Non-Exclusive Mode
21
Evaluation ( 1/6 ) Environment Credit-card number from online automatic generator Software information in paper Wi-Fi Service hotline detection Important to minimize false positives 5 different service hotlines of financial institutions tested 4 samples and then extracted keywords to build database profile 20 simulated normal phone calls
22
Evaluation ( 2/6 ) Tone recognition 20 samples of phone conversation Outcome of recognition compared with the real digits Speech recognition Analyzed 60 recordings of simulated calls 20 samples from 3 test subjects Outcome of recognition compared with the real digits Profile-based data discovery 2 profiles using service hotlines created 20 calls followed a script for each hotline Allowed to deviate from script
23
Evaluation ( 3/6 ) Covert channel study Bits per second determines length of transmission 55 byte messages ran through different channels Reference monitor Changes made to AudioFlinger Compiled to modified Android OS Installed onto an Android HTC developer phone
24
Evaluation ( 4/6 ) Effectiveness Service hotline detection Correctly identified 55% of hotlines 0% false positive rate on normal conversations Speech recognition Identified 55% of credit card numbers correctly Identified 20% of number with one digit wrong or missing Tone recognition Identified 85% of credit card numbers correctly Other 15% only had a one digit error Detection by anti-virus application VirusGuard and SMobile Systems did not detect Soundcomber as malware
25
Evaluation ( 5/6 ) Performance Service hotline detection First segment average length = 6.1 s Recognition of hotline average = 34.6 s Tone/speech recognition
26
Evaluation ( 6/6 ) Performance Covert channels File-locking = 685 bps Volume = 150 bps Vibration = 87 bps Screen-setting = 5.29 bps Reference monitor During sensitive call, 4.27 ms delay to controller During non-sensitive call, 0.90 ms delay 0.85% of time spent in controller
27
Strengths Low cost on phone Power Data transmission Speed Memory Multiple avenues of attack Little to no alert to user
28
Weaknesses Installation of malware Requires two applications Requires access to microphone Analysis during wrong time may alert user Strict coordination involved for some methods
29
Conclusion Soundcomber effectively uses covert-channels and innocuous permissions to leak sensitive information More defensive research needed on sensory data stealing Highlighted the threat of stealthy sensory malware
30
Questions and Discussion
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.