Soundcomber A Stealthy and

parisfawnAI and Robotics

Nov 17, 2013 (3 years and 8 months ago)

91 views

Roman Schl egel

Ci t y Uni ve r s i t y of Hong Kong

Kehuan

Zhang

Xi aoyong

Zhou

Mehool

I nt wal a

Apu

Kapadi a

Xi aoFeng

Wang

I ndi a na Uni ve r s i t y Bl oomi ngt on


NDSS SYMPOSI UM

2011

報告人:張逸文

Soundcomber


A Stealthy and
Context
-
Aware Sound Trojan for
Smartphones

Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

2

Introduction

1/2



Full
-
fledged computing platforms


The plague of
data
-
stealing malware


Sensory malware,
ex

video camera
, microphone


Security protections


Java virtual machines on Android


Anti
-
virus


Control installing un
-
trusted software


Tow new observations


Context of phone conversation is
predictable

and
fingerprinted


Built
-
in
covert channel

3

Introduction

2/2


4


Main goal



Extract a small amount of high
-
value private data from phone
conversations and transmit it to a malicious party


Major contributions



Targeted, context
-
aware information discovery from sound
recordings


Stealthy data transmission


Implementation and evaluation


Defensive architecture


Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

5

Overview

1/2


6


Assumptions


work under limited privileges


Architectural overview



Overview

2/2


7


Video Demo
.

4392 2588 8888 8888

Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

8

Context
-
Aware Information Collection

1/7


9



monitor the phone state



identify, record, analysis, extract


1.
Audio recording

2.
Audio processing

3.
Targeted data extraction


using profiles

Context
-
Aware Information Collection

2/7


10

1.
Audio recording


When to record


Whenever the user initiates a phone call


Recording in the background


Determining the number called


intercept outgoing phone calls / read contact data


the first segment compare with keywords in database


relevant, non
-
overlapping keywords


minimize necessary permissions


Context
-
Aware Information Collection

3/7


11

2.
Audio processing


decode file


speech/tone recognition


speech/tone extraction

Context
-
Aware Information Collection

4/7


12

a)
tone recognition


DTMF

dual
-
tone multi
-
frequency









signaling channel
to inform mobile phone network of the pressed key


aural feedback leaks to
side
-
channel


Goertzel’s

algorithm

Context
-
Aware Information Collection

5/7


13

b.
Speech recognition


Google service

speech recognition functionality


PocketSphinx


Segmentation
---

contain speech




sound
silence
n
j
x
n
thr
k
thr
k
g
thr
n
k
k
f
g
n
j
s
k
f
s




















Recordin
0
Recordin
2
0
1
1
Context
-
Aware Information Collection

6/7


14

3.
Targeted data extraction using profiles


focus on IVRs

Interactive Voice Response system



Phone menus


based on predetermined profiles

Context
-
Aware Information Collection

7/7


15


general profiles


Speech signatures


Sequence detection


Speech characteristics

Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

16

Stealthy Data Transmission

17


Processing centrally isn’t ideal


No local processing on 1 minute recording → 94KB


Credit card number → 16 bytes


Legitimate, existing application with network access


A
paired Trojan
application with network access and
communication through
covert channel

Leveraging third
-
party applications

18


Permission mechanism only restricts
individual
application


Ex

using browser

open URL http : // target ? number=N


drawback

more noticeable due to “foreground”


Ads to cover

Covert channels with paired Trojans

1/4


19


paired Trojans

Soundminer
, Deliverer


Installation

of

paired

Trojan

applications


Pop
-
up

ad.


Packaged

app.


Covert

channels

on

the

smartphone


Vibration settings


Volume settings


Screen


File locks

Covert channels with paired Trojans

2/4


20


Vibration

settings


any application can change the vibration settings


communication channel

every time the setting is changed, the system
sends a notification to interested applications


saving and restoring original settings at
opportune times


no permissions needed


not leave any traces

Covert channels with paired Trojans

3/4


21



Volume settings


not automatically broadcasted


set and check the volume alternatively


3 bits per iteration


Sending at times



Reading at times


miss a window



Screen


invisible visible channel


covert channel

screen settings


prevent the screen from actually turning on


permission WAKE_LOCK
















1
1000
,......,
0
,
ti
ms
k
t
k
t
i
s


2
i
i
s
t
t
k
t



Covert channels with paired Trojans

4/4


22



File locks


exchange information through competing for a file lock


signaling files, S
1
,……,
S
m


one data file


S
1
~S
m/2

for
Soundminer

,
S
m
/2+1
~S
m

for Deliverer



Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

23

Defense Architecture

24


add a context
-
sensitive reference monitor to control the
AudioFinger

service


block

all applications from accessing the audio data
when
a sensitive call
is in progress


Reference Service
RIL

radio interface layer



enter/leave a sensitive state


Controller


Embedded in the
AudioFinger

service


Exclusive Mode / Non
-
Exclusive Mode


Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

25

Evaluation

1/2


26


Experiment settings


Environment


Service hotline detection


Tone recognition


Speech recognition
---

getrusage
()


Profile
-
based data discovery
---

extracted high
-
value information


Cover channel study
---

bandwidth in bits per second


Reference monitor


Evaluation

2/2


27


Experiment results


Effectiveness


Service hotline detection


Tone/speech recognition


Detection by anti
-
virus applications


Performance


Outline


Introduction


Overview


Context
-
Aware Information Collection


Stealthy Data Transmission


Defense Architecture


Evaluation


Discussion


Conclusion

28

Discussion

29


Improvements on attack


Defenses


Conclusion

30


Soundminer
, innocuous permissions


Defense on sensor data stealing


Highlighted the threat of stealthy sensory malware

31

Thanks ~

Goertzel’s

algorithm

32


Performance

33