This is a demo website for our CCS 2013 paper "Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources". In this work, we study what information a malicious app without any permissions can learn from Android public resources. Here we demonstrate how an zero-permission app gets precise location, user's identity and disease conditions the phone user interested in.
In this first video we demonstrate that a zero-permission app can use the ARP public information exposed by the Android Linux file system to precisely locate a user and send the data to attack server when the screen is turned off (this is detected by monitoring the backlit level of the LCD panel). The app is started manually here for the demo. In reality, it can will run in the background.
In this video, we
demonstrate how to infer the user's identity using social networks such
as twitter. The attacker monitors aggregate network usage statistics information and detects when the victim tweets from her mobile phone. The malicious app records the timestamps of
the post tweet event and queries twitter.com for users in the nearby area who
posted tweets at that time. This way the attacker derives candidates sets. Specifically, every time a post
timestamp is collected, the attacker gets a candidates set which she intersects with previous sets until only one
candidate is left, i.e the identified victim.
app can masquerade as any legitimate app, given the fact that it does
not need any permissions. Once activated, it runs in the background,
automatically detects the situation (that the Twitter app is currently
being executed) before collecting and transmitting data related to the
target app. (This video is annotated with youtube's annotation tool. If you can not see the annotation, please visit this page on a desktop or laptop).
Here, we show how an attacker can infer a mobile phone user's health information from WebMD. The attacker's malware running on the victim's mobile phone, monitors the aggregate network usage data of WebMD app which it sends to the attacker's remote location. The attacker can then match the generated traffic with pre-calculated signatures of navigation paths on WebMD.
For the purposes of this demonstration, we show the invoked browser that is being used to send the data. On a real setting this operation happens after the screen dims out to hide the real functionality of the malware as shown in video 1.