Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
On-Board Data Collection and Filtering
Discussion
Related Work
Conclusion
References
All Topics
Computer Science
Distributed Systems

PlaceRaider: Virtual Theft in Physical Spaces with Smartphones

Profile image of Zahid RahmanZahid Rahman

NDSS

Abstract

As smartphones become more pervasive, they are increasingly targeted by malware. At the same time, each new generation of smartphone features increasingly powerful onboard sensor suites. A new strain of ‘sensor malware’ has been developing that leverages these sensors to steal information from the physical environment — e.g., researchers have recently demonstrated how malware can ‘listen’ for spoken credit card numbers through the microphone, or ‘feel’ keystroke vibrations using the accelerometer. Yet the possibilities of what malware can ‘see’ through a camera have been understudied. This paper introduces a novel ‘visual malware’ called PlaceRaider, which allows remote at- tackers to engage in remote reconnaissance and what we call “virtual theft.” Through completely opportunistic use of the phone’s camera and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments. Remote burglars can thus ‘download’ the physical space, study the environment carefully, and steal virtual objects from the environment (such as financial documents, information on computer monitors, and personally identifiable informa- tion). Through two human subject studies we demonstrate the effectiveness of using mobile devices as powerful urveillance and virtual theft platforms, and we suggest several possible defenses against visual malware.

Related papers

Stealthy Video Capturer: A New Video-based Spyware
Jin Teng

In this paper, we investigate video-based vulnerabilities in 3G Smartphones. Particularly, we design a new video-based spyware, called Stealthy Video Capturer (SVC). SVC can secretly record video information for the third party, greatly compromising Smartphone users' privacy. We implement the spyware and conduct extensive experiments on real world 3G Smartphones. Our experimental results show that the spyware can capture private video information with unremarkable power consumption, CPU and memory occupancy, hence being stealthy to Smartphone users. Moreover, SVC can naturally be resistant to almost all commercial anti-virus tools, like McAfee, Kaspersky and F-Secure mobile version. To the best of our knowledge, our work is the first one to address video-based vulnerabilities in 3G Smartphones. We expect our work will prompt serious attentions on this issue.

View PDFchevron_right
Smartphone Malware Threat, an Experimental Evaluation of Smartphone Security
Journal of Computer Science IJCSIS

With the rise in smart phone usage, the privacy concerns of millions of users has also grown. The malware is making inroads via the malicious apps created by the programmers. In this paper we created a malicious app in Android and the app was successfully stored at the play store. This malicious app helps us to track and pinpoint the current location of the mobile and saves the call logs, sent to our Web-based application. This app couples GPS-based information with Google maps data and accurately determines the current postal address of the mobile using this app. The flexibility provided by the operating systems that allows the developers to develop the malicious applications (Malware), thereby compromising the security of smart phone users. In this paper, we try to evaluate the existing security safeguards used by the two leading smart phone operating systems i.e. IOS and Android. The two platforms will be evaluated in terms of the flexibility provided by the operating system to develop the malware. We will provide a comparative analysis, based on the experimental setup implementation of these two platforms.

View PDFchevron_right
Sensing-enabled channels for hard-to-detect command and control of mobile devices
Tzipora Halevi

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13, 2013

The proliferation of mobile computing devices has enabled immense opportunities for everyday users. At the same time, however, this has opened up new, and perhaps more severe, possibilities for attacks. In this paper, we explore a novel generation of mobile malware that exploits the rich variety of sensors available on current mobile devices.

View PDFchevron_right
CAMERA BASED ATTACK DETECTION AND PREVENTION TECH- NIQUES ON ANDROID MOBILE PHONES
eSAT Journals

Mobile phone security has become an important aspect of security issues in wireless multimedia communications. In this paper, we focus on security issues related to mobile phone cameras. Specifically, we discover several new attacks that are based on the use of phone cameras. We implement the attacks on real phones, and demonstrate the feasibility and effectiveness of the attacks. Furthermore, we propose a lightweight defense scheme that can effectively detect these attacks. In this paper, we are going to develop an Android application such that when a user loses his/her phone, the spy camera could be launched via remote control and capture what the thief looks like as well as the surrounding environment. Then the pictures or videos along with location information (GPS coordinates) can be sent back to the device owner so that the owner can pinpoint the thief and get the phone back. We conduct a survey on the threats and benefits of spy cameras. Then we present the basic attack model and two camera based attacks: the remote-controlled real time monitoring attack and the pass code inference attack. We run these attacks along with popular antivirus software to test their stealthiness, and conduct experiment to evaluate both types of attack.

View PDFchevron_right
PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces
Mohammed Korayem

Cameras are now commonplace in our social and computing landscapes and embedded into consumer devices like smartphones and tablets. A new generation of wearable devices (such as Google Glass) will soon make 'first-person' cameras nearly ubiquitous, capturing vast amounts of imagery without deliberate human action. 'Lifelogging' devices and applications will record and share images from people's daily lives with their social networks. These devices that automatically capture images in the background raise serious privacy concerns, since they are likely to capture deeply private information. Users of these devices need ways to identify and prevent the sharing of sensitive images.

View PDFchevron_right
Trojan horses in mobile devices
Juan Luis Ortega

Computer Science and Information Systems, 2010

This paper focuses on the behavior of Trojan horses in mobile devices. This malicious software tries to steal information from a mobile device while the user is unaware. We describe the communication links through a Trojan horse installed into a mobile device. To demonstrate the effects of a Trojan horse infection we present a practical example on a PDA. Via SMS, the malicious user can access a user's contacts information through the previous installation of the Trojan horse. The results show that this process means a loss of information and a quantified cost to the attacked user too. This paper proposes different solutions to avoid this malware and its effects.

View PDFchevron_right
Stealthy video capturer: a new video-based spyware in 3g smartphones
Jin Teng

2009

Abstract In this paper, we investigate video-based vulnerabilities in 3G Smartphones. Particularly, we design a new video-based spyware, called Stealthy Video Capturer (SVC). SVC can secretly record video information for the third party, greatly compromising Smartphone users' privacy. We implement the spyware and conduct extensive experiments on real world 3G Smartphones.

View PDFchevron_right
Light Weight Defense Mechanism Against Camera Based Attacks
Poonam Lohiya

IRA-International Journal of Technology & Engineering, 2017

A number of android security and privacy vulnerabilities have been exposed in past several years. However, the mobile malware and privacy leakage remain a big threat to mobile phone security and privacy. It has been observed that phone camera would become a traitor in such attacks by capturing photos or videos secretly. Secret photography is not only immoral but also illegal due to invasion of privacy. Phone users themselves could also become victims and if the phone camera is exploited by malicious spy camera app, it may cause serious security and privacy problems. Most of the existing mobile antivirus apps are unable to monitor such camera based attacks. Hence, we demonstrate two camera based attacks through our proposal namely, Remote controlled real time monitoring Attack like Screen unlocking Attack, SMS Attack. We also propose a light weight defense scheme as a countermeasure for the camera attacks that can protect android phones against harmful spy Camera attacks.

View PDFchevron_right
UnLocIn: Unauthorized location inference on smartphones without being caught
Le Minh Nguyen

2013 International Conference on Privacy and Security in Mobile Systems (PRISMS), 2013

Location privacy has become one of the critical issues in the smartphone era. Since users carry their phones everywhere and all the time, leaking users' location information can have dangerous implications. In this paper, we leverage the idea that Wi-Fi parameters not considered to be "sensitive" in the Android platform can be exploited to learn users' location. Though the idea of using Wi-Fi information to breach location privacy is not new, we extend the basic idea and show that clever attackers can do so without being detected by current malware detection techniques. To achieve this goal, we develop the Unauthorized Location Inference attack (UnLocIn) that is transparent to both the victim user and the malware detection software, using the seemingly insensitive permission to access Wi-Fi state. This permission is used by 51 of the top 100 free apps on Google Play. We demonstrate that the UnLocIn attack allows the attacker to infer the victim's location with 50 meter accuracy in 20% of cases and within a few hundred meters on average. In addition, we discuss potential defenses against our proposed UnLocIn attack.

View PDFchevron_right

References (36)

  1. M. Backes, T. Chen, M. Duermuth, H. Lensch, and M. Welk. Tempest in a teapot: Compro- mising reflections revisited. In 30th IEEE Symposium on Security and Privacy, pages 315-327, May 2009.
  2. M. Backes, M. Durmuth, and D. Unruh. Compromising reflections-or-how to read LCD mon- itors around the corner. In IEEE Symposium on Security and Privacy, pages 158-169, May 2008.
  3. M. J. Black and P. Anandan. A framework for the robust estimation of optical flow. In Proceedings of the IEEE International Conference on Computer Vision, pages 231-236, 1993.
  4. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi. XManDroid: A new Android evolution to mitigate privilege escalation attacks. Technical Report TR-2011-04, Technische Universität Darmstadt, Apr. 2011.
  5. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on Android. In 19th Annual Network & Distributed System Security Symposium (NDSS), Feb. 2012.
  6. L. Cai, S. Machiraju, and H. Chen. Defending against sensor-sniffing attacks on mobile phones. In Proceedings of the 1st ACM Workshop on Networking, Systems, and Applications for Mobile Handhelds, MobiHeld '09, pages 31-36, New York, NY, USA, 2009.
  7. M. Conti, V. T. N. Nguyen, and B. Crispo. Crepe: context-related policy enforcement for android. In Proceedings of the 13th International Conference on Information Security, pages 331-345, Berlin, Heidelberg, 2011.
  8. D. Crandall, A. Owens, N. Snavely, and D. P. Huttenlocher. Discrete-continuous optimization for large-scale structure from motion. In Proc. IEEE Conf. on Computer Vision and Pattern Recognition, 2011.
  9. M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight provenance for smart phone operating systems. CoRR, abs/1102.2445, 2011.
  10. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taint- Droid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementa- tion, OSDI'10, pages 1-6, Berkeley, CA, USA, 2010.
  11. W. Enck, M. Ongtang, and P. McDaniel. Mitigating Android software misuse before it happens. Technical Report NAS-TR-0094-2008, Pennsylvania State University, 2008.
  12. A. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the USENIX Conference on Web Application Development, 2011.
  13. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: attacks and defenses. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 22-22, Berkeley, CA, USA, 2011.
  14. Y. Furukawa, B. Curless, S. M. Seitz, and R. Szeliski. Reconstructing building interiors from images. In IEEE International Conference on Computer Vision, pages 80-87, Oct. 2009.
  15. Y. Furukawa and J. Ponce. Accurate, dense, and robust multiview stereopsis. IEEE Transac- tions on Pattern Analysis and Machine Intelligence, 32(8):1362-1376, Aug. 2010.
  16. S. Gabarda and G. Cristóbal. Blind image quality assessment through anisotropy. J. Opt. Soc. Am. A, 24(12):B42-B51, Dec. 2007.
  17. M. Kuhn. Optical time-domain eavesdropping risks of CRT displays. In Proceedings of the IEEE Symposium on Security and Privacy, pages 3-18, 2002.
  18. B. Laxton, K. Wang, and S. Savage. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the 15th ACM Conference on Computer and Communica- tions Security, CCS '08, pages 469-478, New York, NY, USA, 2008.
  19. L. Liu, G. Yan, X. Zhang, and S. Chen. VirusMeter: Preventing your cellphone from spies. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, pages 244-264, Berlin, Heidelberg, 2009.
  20. D. G. Lowe. Distinctive image features from scale-invariant keypoints. International Journal of Computer Vision, 60(2):91-110, Nov. 2004.
  21. P. Marquardt, A. Verma, H. Carter, and P. Traynor. (sp)iPhone: Decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proceedings of the 18th ACM Con- ference on Computer and Communications Security, CCS '11, pages 551-562, 2011.
  22. E. Miluzzo, A. Varshavsky, S. Balakrishnan, and R. R. Choudhury. Tapprints: Your finger taps have fingerprints. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, MobiSys '12, pages 323-336, New York, NY, USA, 2012.
  23. K. Mowery, S. Meiklejohn, and S. Savage. Heat of the moment: Characterizing the efficacy of thermal camera-based attacks. In Proceedings of the 5th USENIX Conference on Offensive Technologies, WOOT'11, page 6, Berkeley, CA, USA, 2011.
  24. M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android permission model and en- forcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328-332, New York, NY, USA, 2010.
  25. M. Ongtang, K. Butler, and P. McDaniel. Porscha: Policy oriented secure content handling in Android. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 221-230, New York, NY, USA, 2010.
  26. M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. In Proceedings of the 2009 Annual Computer Security Applications Con- ference, ACSAC '09, pages 340-349, Washington, DC, USA, 2009.
  27. E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. ACCessory: Password inference using accelerometers on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems & Applications, HotMobile '12, pages 9:1-9:6, New York, NY, USA, 2012.
  28. G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid Android: Versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 347-356, New York, NY, USA, 2010.
  29. R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-M. Frahm. iSpy: Automatic reconstruction of typed input from compromising reflections. In ACM Conference on Computer and Communications Security, pages 527-536, 2011.
  30. R. Schlegel, K. Zhang, X. Zhou, I. Mehool, A. Kapadia, and X. Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS'11, 2011.
  31. A. Smith. Nearly half of American adults are smartphone owners. Technical report, Pew Research Center, 2012.
  32. N. Snavely. Phototourism software FAQ. http://phototour.cs.washington.edu/bundler/ faq.html.
  33. N. Snavely, S. Seitz, and R. Szeliski. Modeling the World from Internet Photo Collections. International Journal of Computer Vision, 80:189-210, 2008.
  34. N. Snavely, S. M. Seitz, and R. Szeliski. Photo tourism: Exploring photo collections in 3D. In SIGGRAPH Conference Proceedings, pages 835-846, 2006.
  35. N. Xu, F. Zhang, Y. Luo, W. Jia, D. Xuan, and J. Teng. Stealthy video capturer: A new video-based spyware in 3G smartphones. In Proceedings of the second ACM conference on Wireless Network Security, WiSec '09, pages 69-78, New York, NY, USA, 2009.
  36. Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In IEEE Symposium on Security and Privacy, pages 95-109, 2012.

Related papers

Malware in Motion
Zhiyuan Luo

2022

Malicious software (malware) is designed to circumvent the security policy of the host device. Smartphones represent an attractive target to malware authors as they are often a rich source of sensitive information. Attractive targets for attackers are sensors (such as cameras or microphones) which allow observation of the victims in real time. To counteract this threat, there has been a tightening of privileges on mobile devices with respect to sensors, with app developers being required to declare which sensors they need access to, as well as the users needing to give consent. We demonstrate by conducting a survey of publicly accessible malware analysis platforms that there are still implementations of sensors which are trivial to detect without exposing the malicious intent of a program. We also show how that, despite changes to the permission model, it is still possible to fingerprint an analysis environment even when the analysis is carried out using a physical device with the novel use of Android's Activity Recognition API.

View PDFchevron_right
Curbing mobile malware based on user-transparent hand movements
Manar Mohamed

2015 IEEE International Conference on Pervasive Computing and Communications (PerCom), 2015

In this paper, we present a run-time defense to the malware that inspects the presence/absence of certain transparent human gestures exhibited naturally by users prior to accessing a desired resource. Specifically, we focus on the use of transparent gestures to prevent the misuse of three critical smartphone capabilities-the phone calling service, the camera resource and the NFC reading functionality. We show how the underlying natural hand movement gestures associated with the three services, calling, snapping and tapping, can be detected in a robust manner using multiple-motion, position and ambient-sensors and machine learning classifiers. To demonstrate the effectiveness of our approach, we collect data from multiple phone models and multiple users in real-life or near real-life scenarios emulating both benign settings as well as adversarial scenarios. Our results show that the three gestures can be detected with a high overall accuracy, and can be distinguished from one another and from other activities (benign or malicious), serving as a viable malware defense. In the future, we believe that transparent gestures associated with other smartphone services, such as sending SMS or email, can also be integrated with our system.

View PDFchevron_right
SMASheD: Sniffing and Manipulating Android Sensor Data for Offensive Purposes
Manar Mohamed

IEEE Transactions on Information Forensics and Security, 2017

The current Android sensor security model either allows only restrictive read access to sensitive sensors (e.g., an app can only read its own touch data) or requires special install-time permissions (e.g., to read microphone, camera or GPS). Moreover, Android does not allow write access to any of the sensors. Sensingbased security and non-security applications therefore crucially rely upon the sanity of the Android sensor security model. In this paper, we show that such a model can be effectively circumvented. Specifically, we build SMASheD, a legitimate framework under the current Android ecosystem that can be used to stealthily sniff as well as manipulate many of the Android's restricted sensors (even touch input). SMASheD exploits the Android Debug Bridge (ADB) functionality and enables a malicious app with only the INTERNET permission to read, and write to, multiple different sensor data files at will. SMASheD is the first framework, to our knowledge, that can sniff and manipulate protected sensors on unrooted Android devices, without user awareness, without constant device-PC connection and without the need to infect the PC. The primary contributions of this work are twofold. First, we design and develop the SMASheD framework, and evaluate its effectiveness on multiple Android devices, including phones, watches and glasses. Second, as an offensive implication of the SMASheD framework, we introduce a wide array of potentially devastating attacks. Our attacks against the touchsensor range from accurately logging the touchscreen input (TouchLogger) to injecting touch events for accessing restricted sensors and resources, installing and granting special permissions to other malicious apps, accessing user accounts, and authenticating on behalf of the user-essentially almost doing whatever the device user can do (secretively). Our attacks against various physical sensors (motion, position and environmental) can subvert the functionality provided by numerous existing sensing-based security and non-security applications, including those used for (continuous) authentication, authorization, safety, and elderly care.

View PDFchevron_right
Spy camera attacks on mobile security
samrudhi khond

International Journal of Advance Research, Ideas and Innovations in Technology, 2018

Nowadays, Smartphone security has become a major issue to resolve. All the smart phones have features like camera, touch screen and many more. These may cause attacks on users smart phones. Modern smart phone platforms provide users to customize their device using applications found on app stores. Users are constantly in trouble that they are unaware of installing malicious apps that steal personal data or gain access to other private information. For example, while using such malicious application, the application provider may carry the hidden request to have access to different devices connected to our phone such as camera, smart phone is been attacked, identifying our location through camera as it will show our surrounding area and trying to identify PIN using camera. However, few Works have studied mobile phone multimedia Security. In this survey, we focus on security problems related to mobile phone cameras. Specifically, we discuss several attacks that are based on the smart p...

View PDFchevron_right
Protecting mobile users from visual privacy attacks
Anika Anwar

Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication, 2014

An increasing number of people are using mobile devices in public places such as buses, trains, airports, coffee shops, and restaurants. Though the flexibility to work remotely using mobile devices make people more productive, this new working practice incurs unauthorized visual access of the mobile display by the bystanders, which we call visual privacy attack. Failing to prevent unauthorized people viewing sensitive information such as passwords, emails, and business information could lead to financial loss, public exposure, and embarrassment. In this paper, we propose a solution that captures the surrounding environment through user's mobile phone camera and determines whether any unauthorized person is obtaining visual access to the user's mobile screen. We develop an Android application, iAlert, that runs as a background process on a user's mobile device and alerts the user based on whether or not the displayed text on the screen is readable by bystanders.

View PDFchevron_right

Related topics

  • Distributed Computing
  • Information Security
  • Computer Security
  • Cyberphysical systems
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved