The threat of smartphone malware with access to on-board sensors, which opens new avenues for illicit
collection of private information. While existing work shows that such “sensory malware” can convey
raw sensor data (e.g., video and audio) to a remote server, these approaches lack stealthiness, incur
significant communication and computation overhead during data transmission and processing, and can
easily be defeated by existing protections like denying installation of applications with access
to both sensitive sensors and the network. We present Soundcomber, a Trojan with few and innocuous
permissions, that can extract a small amount of targeted private information from the audio sensor
of the phone. Using targeted profiles for context-aware analysis, Soundcomber intelligently
“pulls out” sensitive data such as credit card and PIN numbers from both tone- and speech-based
interaction with phone menu systems. Soundcomber performs efficient, stealthy local extraction,
thereby greatly reducing the communication cost for delivering stolen data.Soundcomber
automatically infers the destination phone number by analyzing audio, circumvents known security
defenses, and conveys information remotely without direct network access. We also design and
implement a defensive architecture that foils Soundcomber, identify new covert channels
specific to smartphones, and provide a video demonstration of Soundcomber.
In essence, all audio recording and phone call requests are mediated by a reference monitor,
which can disable (blank out) the recording when necessary. The decision on when to turn off
the switch is made according to the privacy policies that forbid audio recording for a set
of user-specified phone numbers, such as those of credit-card companies. We evaluate our
prototype defensive architecture and show that it can prevent our demonstrated attacks
with minimal processing overhead.
We now summarize our major contributions:
Targeted, context-aware information discovery from sound recordings. We demonstrate that
smartphone based malware can easily be made to be aware of the context of a phone
conversation, which allows it to selectively collect high-value information. This is
achieved through techniques we developed to profile the interactions with a phone menu,
and recover digits either through a side-channel in a mobile phone or by recognizing
speech. We also show how only limited permissions are needed and how Soundcomber
can determine the destination number of the phone call through IVR fingerprinting.
Stealthy data transmission. We studied various channels on the smartphone platform
that can be used to bypass existing security controls, including data transmission
via a legitimate network-facing application, which has not been mediated by the
existing approaches, and different types of covert channels. We also discovered
several new channels, such as vibration / volume settings, and demonstrated that
covert channel information leaks are completely realistic on smartphones.
Implementation and evaluation. We implemented Soundcomber on an Android phone and
evaluated our technique using realistic phone conversation data. Our study shows that
an individual’s credit-card number can be reliably identified and stealthily disclosed.
Therefore, the threat of such an attack is real.
Defensive architecture. We discuss security measures that could be used to mitigate
this threat, and in particular, we designed and implemented a defensive architecture
that prevents any application from recording audio to certain phone numbers specified
by privacy policies.