There have long been issues with the Android security model, but researchers called runtime-information-gathering (RIG) attacks an emerging security threat to Android and Android-based Internet of Things (IoT) systems. RIG attacks exploit apps to obtain sensitive user data “ranging from phone conversations to health information;” Android-controlled IoT devices such as Belkin NetCam Wi-Fi Camera with Night Vision and Nest Protect are equally vulnerable to RIG attacks. To mitigate the RIG threat, researchers developed an app that pauses potentially dangerous processes and then “resumes them after the security-critical operation is done and the environment is cleaned.”
RIG, in this case, refers to “any malicious activities that involve collected data produced or receive by an app during its execution, in an attempt to directly steal or indirectly infer sensitive user information.” A malicious app can abuse the permission it gets “to directly collect sensitive data from the target app running in the foreground.” To understand why there is an “urgent need to mitigate the RIG threat to mobile devices,” Indiana University researchers explained, “Any app that is granted permission is allowed to use the permission to access any resources under any circumstances. For example, a voice recorder can tape any phone conversation without restriction; a game app with the Bluetooth permission for connecting to its playpad can also download patient data from a Bluetooth glucose meter.”
An “official app of an external medical device, such as a blood glucose meter, can be monitored for collecting patient data from the device through the Bluetooth channel, before the official app is able to establish its connection with the device. Particularly concerning here is that even the app not asking for any permission can still obtain highly-sensitive user information from a variety of side channels,” wrote the researchers. They included examples such as “web content detected through analyzing the browser’s memory footprints, key strokes logged using the phone’s accelerometer, and the mobile user’s identity, disease and financial information inferred from different apps’ mobile-data usages.”
During the Android Security session at the 36th annual IEEE Symposium on Security and Privacy, Indiana University researchers will present “Leave Me Alone: App-level Protection Against Runtime Information Gathering on Android” (pdf). The abstract states:
Stealing of sensitive information from apps is always considered to be one of the most critical threats to Android security. Recent studies show that this can happen even to the apps without explicit implementation flaws, through exploiting some design weaknesses of the operating system, e.g., shared communication channels such as Bluetooth, and side channels such as memory and network-data usages. In all these attacks, a malicious app needs to run side-by-side with the target app (the victim) to collect its runtime information. Examples include recording phone conversations from the phone app, gathering WebMD’s data usages to infer the disease condition the user looks at, etc. This runtime-information-gathering (RIG) threat is realistic and serious, as demonstrated by prior research and our new findings, which reveal that the malware monitoring popular Android-based home security systems can figure out when the house is empty and the user is not looking at surveillance cameras, and even turn off the alarm delivered to her phone.
The researchers proposed a novel technique to defend against “this new category of attacks;” they developed App Guardian, which “changes neither the operating system nor the target apps, and provides immediate protection as soon as an ordinary app (with only normal and dangerous permissions) is installed.” Their app thwarts a malicious app’s runtime monitoring attempt by pausing all suspicious background processes when the target app is running; it then automatically resumes them after the app stops.
They setup App Guardian and then evaluated its utility against “over 475 most popular apps in 27 categories on Google Play.” They said the new technique “defeated all known RIG attacks, including audio recording, Bluetooth misbonding, a series of side-channel attack on high-profile apps, the recently proposed user-interface inference and voice eavesdropping, together with a new IoT attack we discovered, at a performance cost as low as 5% of CPU time and 40MB memory.”
The researchers also demonstrated how Android-controlled IoT devices are vulnerable to RIG attacks. They used a Nexus 5 smartphone to demonstrate three attacks against Belkin NetCam Wi-Fi camera with Night Vision. They found “that the side-channel information of Belkin NetCam app can be used by an adversary for malicious purposes such as theft or robbery.”
Attacking Belkin NetCam:
The first RIG attack abuses the IP camera’s motion detection capabilities. A malicious app, which does not require any permissions, can find out when no one is at home by monitoring the status of the 'save clips' switch. The second attack is on video watching; it shows how a malicious app can also tell when the “phone user is not looking at the surveillance video” via the official app on her smartphone. The last attack involves audio blocking. The bad app knows “when the camera’s motion sensor captures the presence of a stranger at home” and when it sends an alarm message to the user’s phone; the malware turns off the phone’s speaker, so the user has no clue the alarm went off. “This actually helps a robber break into one’s home without being discovered, even when the home is protected by such a security system.”
When Nest Protect sensors detect a fire, an alarm is sent to a user’s phone; but the researcher added, “It turns out that Nest Protect is equally vulnerable to the RIG attacks, though the system was carefully built to avoid common security flaws.” An attack app can reliably identify when the Nest app notifies users of fire alarm. “In our research, we performed the same muting attack to disable sound once an alarm is arrived, which worked as effectively as that on NetCam. As a result, the attack app could make the alarm temporarily go unnoticeable.”
Audio recording attack and protection:
The second video demonstrates a malicious app running the background to recording any phone call the user makes; it also shows how App Guardian can protect users from audio recording attacks.
Protecting against "motion detection on" attack
The final video demonstrates a malicious app launching an attack against NetCam, but this time App Guardian is running the background. App Guardian pops up with the warning, “7 apps have potential risk to steal your information and have been stopped to protect your privacy.” Those seven apps were stopped since their scheduling rates were over once every three seconds. The demo example showed the Viber app (process) automatically being recovered; if a user wants to, then she can recovered the rest of the stopped apps manually.
I encourage to read the paper, “Leave Me Alone: App-level Protection Against Runtime Information Gathering on Android” (pdf), by IU researchers Nan Zhang, Kan Yuan, Muhammad Naveed, Xiaoyong Zhou, XiaoFeng Wang. If I hear back from the authors that App Guardian is available in Google’s Play Store, then I’ll add a link.