This is a demo website for our CCS 2013 paper "Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources". In this work, we study what information a malicious app without any permissions can learn from Android public resources. Here we demonstrate how an zero-permission app gets precise location, user's identity and disease conditions the phone user interested in. 

1. Location Inference

In this first video we demonstrate that a zero-permission app can use the ARP public information exposed by the Android Linux file system to precisely locate a user and send the data to attack server when the screen is turned off (this is detected by monitoring the backlit level of the LCD panel). The app is started manually here for the demo. In reality, it can will run in the background.

YouTube Video

2. Identity Inference

In this video, we demonstrate how to infer the user's identity using social networks such as twitter. The attacker monitors aggregate network usage statistics information and detects  when the victim tweets from her mobile phone. The malicious app records the timestamps of the post tweet event and queries for users in the nearby area who posted tweets at that time. This way the attacker derives candidates sets. Specifically, every time a post timestamp is collected, the attacker gets a candidates set which she intersects with previous sets until only one candidate is left, i.e the identified victim.

Our app can masquerade as any legitimate app, given the fact that it does not need any permissions.  Once activated, it runs in the background, automatically detects the situation (that the Twitter app is currently being executed) before collecting and transmitting data related to the target app. (This video is annotated with youtube's annotation tool. If you can not see the annotation, please visit this page on a desktop or laptop).

Inferring identities from Twitter usage

3. Disease Inference (WebMD)

Here, we show how an attacker can infer a mobile phone user's health information from WebMD. The attacker's malware running on the victim's mobile phone, monitors the aggregate network usage data of WebMD app which it sends to the attacker's remote location. The attacker can then match the generated traffic with pre-calculated signatures of navigation paths on WebMD. 

For the purposes of this demonstration, we show the invoked browser that is being used to send the data. On a real setting this operation happens after the screen dims out to hide the real functionality of the malware as shown in video 1.

Inferring health information using network traffic