security threats to mobile multimedia applications: camera...

IEEE Communications Magazine • March 201480 0163-6804/14/$25.00 © 2014 IEEE

INTRODUCTION

Since 2007, the Android operating system(OS) has enjoyed an incredible rate of popu-larity. As of 2013, the Android OS holds 79.3percent of global smartphone market shares.Meanwhile, a number of Android security andprivacy vulnerabilities have been exposed inthe past several years. Although the Androidpermission system gives users an opportunityto check the permission request of an applica-tion (app) before installation, few users haveknowledge of what al l these permissionrequests stand for; as a result, they fails towarn users of security risks. Meanwhile, anincreasing number of apps specif ied toenhance security and protect user privacy haveappeared in Android app markets. Most largeanti-virus software companies have publishedtheir Android-version security apps, and triedto provide a shield for smartphones by detect-ing and blocking malicious apps. In addition,there are data protection apps that provideusers the capability to encrypt, decrypt, sign,and verify signatures for private texts, emails,

and files. However, mobile malware and priva-cy leakage remain a big threat to mobile phonesecurity and privacy.

Generally, when talking about privacy protec-tion, most smartphone users pay attention to thesafety of SMS, emails, contact lists, calling histo-ries, location information, and private files. Theymay be surprised that the phone camera couldbecome a traitor; for example, attackers couldstealthily take pictures and record videos byusing the phone camera. Nowadays, varioustypes of camera-based applications haveappeared in Android app markets (photography,barcode readers, social networking, etc.). Spycamera apps have also become quite popular. Asfor Google Play, there are nearly 100 spy cameraapps, which allow phone users to take picturesor record videos of other people without theirpermission. However, believe it or not, phoneusers themselves could also become victims.Attackers can implement spy cameras in mali-cious apps such that the phone camera islaunched automatically without the deviceowner’s notice, and the captured photos andvideos are sent out to these remote attackers.Even worse, according to a survey on Androidmalware analysis [1], camera permission ranks12th of the most commonly requested permis-sions among benign apps, while it is out of thetop 20 in malware. The popularity of camerausage in benign apps and relatively less usage inmalware lower users’ alertness to camera-basedmultimedia application attacks.

Nowadays, people carry their phones every-where; hence, their phones see lots of privateinformation. If the phone camera is exploited bya malicious spy camera app, it may cause serioussecurity and privacy problems. For example, thephone camera may record a user’s daily activitiesand conversations, and then send these out viathe Internet or multimedia messaging service(MMS). Secret photography is not only immoralbut also illegal in some countries due to theinvasion of privacy. Nevertheless, a phone cam-era could also provide some benefits if it is con-

ABSTRACT

Today’s mobile smartphones are very power-ful, and many smartphone applications use wire-less multimedia communications. Mobile phonesecurity has become an important aspect of secu-rity issues in wireless multimedia communica-tions. As the most popular mobile operatingsystem, Android security has been extensivelystudied by researchers. However, few works havestudied mobile phone multimedia security. Inthis article, we focus on security issues related tomobile phone cameras. Specifically, we discoverseveral new attacks that are based on the use ofphone cameras. We implement the attacks onreal phones, and demonstrate the feasibility andeffectiveness of the attacks. Furthermore, wepropose a lightweight defense scheme that caneffectively detect these attacks.

SECURITY IN WIRELESS MULTIMEDIACOMMUNICATIONS

Longfei Wu and Xiaojiang Du, Temple University

Xinwen Fu, University of Massachusetts Lowell

Security Threats to Mobile Multimedia Applications: Camera-BasedAttacks on Mobile Phones

DU_LAYOUT.qxp_Layout 3/4/14 12:06 PM Page 80

IEEE Communications Magazine • March 2014 81

trolled well by the device owner. For example,when the owner wants to check if someone hasused his/her phone without permission, thephone camera could be used to record the faceof an unauthorized user. Besides, it can also helpthe owner find a lost phone.

In this article, we first conduct a survey onthe threats and benefits of spy cameras. Then wepresent the basic attack model and two camera-based attacks: the remote-controlled real-timemonitoring attack and the passcode inferenceattack. We run these attacks along with popularantivirus software to test their stealthiness, andconduct experiments to evaluate both types ofattacks. The results demonstrate the feasibilityand effectiveness of these attacks. Finally, wepropose a lightweight defense scheme.

RELATED WORKA number of recent works have studied the issueof obtaining private information on smartphonesusing multimedia devices such as microphonesand cameras. For example, Soundcomber [2] is astealthy Trojan that can sense the context of itsaudible surroundings to target and extract high-value data such as credit card and PIN numbers.Stealthy audio recording is easier to realize sinceit does not need to hide the camera preview. Xuet al. [3] present a data collection techniqueusing a video camera embedded in Windowsphones. Their malware (installed as a Trojan)secretly records video and transmits data usingeither email or MMS. Windows phones offer afunction, ShowWindow(hWnd, SW HIDE),which can hide an app window on the phonescreen. However, it is much more complicated(no off-the-shelf function) to hide a camera pre-view window in an Android system. In this work,we are able to hide the whole camera app inAndroid. Moreover, we implement advancedforms of attacks such as remote-controlled andreal-time monitoring attacks. We also utilizecomputer vision techniques to analyze recordedvideos and infer passcodes from users’ eye move-ments.

Several video-based attacks targeted atkeystrokes have been proposed. The attacks canobtain user input on touch screen smartphones.Maggi et al. [4] implement an automatic shoul-der surfing attack against modern touch-enabledsmartphones. The attacker deploys a video cam-era that can record the target screen while thevictim is entering text. Then user input can bereconstructed solely based on the keystrokefeedback displayed on the screen. However, thisattack requires an additional camera device, andissues like how to place the camera near the vic-tim without catching an alert must be consideredcarefully. Moreover, it works only when visualfeedback such as magnified keys are available.iSpy [5], proposed by Raguram, shows howscreen reflections may be used for reconstruc-tion of text typed on a smartphone’s virtual key-board. Similarly, this attack also needs an extradevice to capture the reflections, and the visualkey press confirmation mechanism must beenabled on the target phone. In contrast, ourcamera-based attacks work without any supportfrom other devices.

THREATS AND BENEFITS OFSPY CAMERA

As mentioned above, the role a spy camera playsdepends on the way it is used and who is in con-trol of it. In the following, we discuss somethreats and benefits of using a spy camera.

LEAKING PRIVATE INFORMATIONA spy camera works as a thief if it steals privateinformation from the phone. First, the malwarefinds a way to infect the victim’s smartphone.For example, it appears to be a normal app withlegitimate use of a camera and the Internet. Onone hand, it performs the function it claims. Onthe other hand, it runs a background service tosecretly take pictures or record videos, and storethe data with obscure names in a directory thatis seldom visited. Then these data are sent out tothe attacker when WiFi (fast and usually unlim-ited) access or other connection is available.

WATCHDOGWatchdog is another thing a spy camera can do.Nobody wants other people to use or checkhis/her phone without permission. A spy cameracan stealthily take pictures of the phone userand deter those who use or check other people’sphones.

ANTI-THIEFOn the other hand, a spy camera could play acompletely different role if it is used properly.When a user loses his/her phone, the spy cameracould be launched via remote control and cap-ture what the thief looks like as well as the sur-rounding environment. Then the pictures orvideos along with location information (GPScoordinates) can be sent back to the deviceowner so that the owner can pinpoint the thiefand get the phone back.

THE BASIC CAMERA ATTACK MODELWe want to discover possible attacks based on aspy camera. The attacks should appear normalto user experience. The main challenge is tomake the attacks run stealthily and silently sothat they do not cause a user alert. Specifically,the attacks are supposed to have a translucentview, make no sound or vibration, and checkphone resource utilization before launchingthemselves. The general architecture shouldinclude the following six parts. Figure 1 showsthe architecture of a basic spy camera attack.

Step 1: To prevent the user from suspecting,the malware should consider the current CPU,memory usage, and battery status. Launching theattack when CPU and memory usage are alreadyhigh could make a phone’s performance evenworse. Users tend to be concerned about theunsmooth experience, and check if any app orservice is running in the background. Similarconcern happens with energy consumption, espe-cially when the phone’s battery is low and is notbeing charged. A camera attack could drain thebattery faster than the user’s expectation andcause user suspicion about possible attacks.Hence, before launching the attack, malicious

Nowadays, people

carry their phones

everywhere; hence,

their phones see lots

of private

information. If the

phone camera is

exploited by a

malicious spy camera

app, it may cause

serious security and

privacy problems.


IEEE Communications Magazine • March 201482

camera apps want to ensure that systemresources are plentiful. For Android phones,memory usage could be obtained through thegetMemoryInfo() function of ActivityManager,information related to CPU utilization is avail-able from “/proc/stat,” while current battery leveland charging status can be obtained by register-ing a BroadcastReceiver with ACTION_BAT-TERY_CHANGED.

Step 2: After ensuring sufficient resources forlaunching attacks, a malicious camera app cancontinue on the remaining actions. First, the appcan turn off the phone’s sound and vibration,which can be achieved by setting the systemsound AudioManager.STREAM_SYSTEM to 0and the flag to FLAG_REMOVE_SOUND_AND_VIBRATE. The app can log the currentvolume level and vibration status, and resumethe parameters after the attack.

Step 3: The difficult task is to hide the cam-era preview. At the beginning, the layout con-taining the SurfaceView is inflated into a view viaLayoutInflater.inflate(). Then the app can set theview parameters by changing the attributes ofWindowManager.LayoutParams. Two importantattributes must be set: TYPE_SYSTEM_OVER-LAY, which makes the preview window alwaysstay on top of other apps; the other one isFLAG_NOT_FOCUSABLE, which disables theinput focus of a spy camera app such that inputvalues would be passed to the first focusablewindow underneath. This would turn the camerapreview into a floating and not focusable layer.Then the app changes the size of preview (Sur-faceView) to the minimum pixel (1 pixel), whichhuman eyes cannot notice. This cannot be setdirectly through setPreviewSize(). Instead, theapp needs to get the layout parameter of Sur-faceView by using SurfaceView.getLayout-Params(). Notice that the type ofSurfaceView.getLayoutParams() is ViewGroup.LayoutParams instead of the aforementionedWindowManager.LayoutParams. Finally, the appcan add the hidden preview dynamically to thewindow by the addView function.

Step 4: After setting up the layout, the attackcould be launched as follows: initialize the Sur-faceHolder, choose which camera (front or back)is used, and open the camera to take pictures orrecord videos. The photo/video data are sup-posed to be stored in disguises, including usingconfusing filenames and seldom visited directo-ries. The app releases the camera after the aboveactions.

Step 5: After the camera attack finishes, theapp sets the audio volume and vibration statusback to its original values. This way, the deviceowner would not find any abnormality.

Step 6: The last step of the attack is to trans-mit the collected data to the outside. Since cellu-lar network usage and MMS may cause extrafees, the best choice is to wait until free WiFiaccess is available. For example, it could use thejavax.mail to send the data as an email attach-ment. Most email systems limit the maximumsize of attachments, so the length of a videoshould have an upper bound specific to theemail service.

THE REMOTE-CONTROLLEDREAL-TIME MONITORING ATTACK

The basic camera attack can be furtherenhanced to more aggressive attacks. Forexample, the attacker can remotely control thespy camera app such that the time to launchand end the attack is under control. The sim-plest way to implement the remote control isby socket. After the malicious app is down-loaded and installed on a victim’s phone, itsends a “ready” message along with the IPaddress and port number to the attacker’sserver. Then the attacker can control the appwith orders like “launch” and “stop” or specifya time schedule.

There are many Android apps that turn thephone into a security surveillance camera,such as Android Eye [6]. The spy camera caneasi ly be extended to a stealthy real-t imemonitor based on the way an IP camera isbuilt. NanoHttpd [7] is a lightweight HTTPserver that can be installed on a phone. In ourcase, we can start an HTTP server at a givenport which supports dynamic file serving suchthat the captured videos can be played onlineupon requests from a browser client. Figure 2shows the video taken by a real-time spy cam-era of a mobile phone. Figure 2a is the envi-ronment in which an Android phone islocated. Although the phone’s screen is show-ing its app menu, it actually captures videosthrough the front-face camera. Figure 2b isthe view of the phone camera, which isaccessed from a PC browser. The address isthe IP address of the phone and the port num-ber of the server.

In this section, we discuss the remote-con-trolled real-time monitoring attack, which couldpose a big threat to a phone user’s privacy: dailyactivities and surrounding environment are allunder the eye of the attacker. Camera-basedattacks can be detected when multiple appsrequest the camera device at the same time or ifthe camera is being used by another app. Butthis can easily be avoided by selecting the timeto launch attack. The malicious camera app canperiodically check the screen status and run thestealthy video recording only when the screen isoff, which means that the user is not using thephone and the camera device is idle. The statusof the phone screen can be obtained by register-ing two broadcast receivers, ACTION_SCREEN_ON and ACTION_ SCREEN_OFF.

Figure 1. The basick camera attack architecture.

Detectresource

utilization

Shutdownsound andvibration

Preview hiding

Send outphoto or video

via email

Recovervolume and

vibrationPicture/video

storage



THE VIDEO-BASED PASSCODEINFERENCE ATTACK

Since the virtual keyboard in a touch screensmartphone is much smaller than computer key-boards, the virtual keys are very close to eachother. Based on measurement of a Galaxy Nexus4 phone, even an offset of 5 mm could result intouching the wrong key. Hence, when typing,users tend to keep a short distance to the screen,which allows the phone (front) camera to have aclear view of a user’s eye movements. A user’seyes move along with the keys being touched,which means that tracking the eye movementcould possibly tell what the user is entering.Thus, it is of great importance to investigatewhether an attacker could obtain a phone user’spasscode by tracking the eye movements.

As computer vision techniques are advancingand becoming more accurate, an offline process-ing of the video can extract the eye position ineach frame and draw the path of eye move-ments, which means that an attacker could inferthe passcode based on the video captured by aspy camera app. In this section, we discuss twotypes of camera attacks for inferring passcodes.We also discuss the computer vision techniquesfor eye tracking that can be utilized in theattacks.

THE APPLICATION-ORIENTED ATTACKThe first type of attack is the application-orient-ed attack, which aims at getting the credentialsof certain apps. Figure 3 gives some examples ofapp passcodes. Most apps (like Facebook) thatrequire authentication contain letters, whichneed a complete virtual keyboard, as shown inFig. 3a. Figures 3b and 3c show two other typesof popular passcodes, pattern and PIN, which wediscuss in detail later. Smart App Protector is alocker app by which a user is able to lock appsthat need extra protection (i.e., Gallery, messag-ing, and dialing apps).

For a successful passcode inference attack,the video must be captured during user authenti-cation. An effective way is to poll the runningtask list and launch the attack as soon as the tar-get app appears on top of the list. Specifically,using the getRunningTasks() function of Activity-Manager, we can get the name of the mostrecently launched app. Meanwhile, the detectionservice scans the running apps and resource uti-lization periodically. When attack conditions aremet, it opens the camera and secretly takesvideos of the user’s face (especially the eyes)with a front-face camera for a time long enoughto cover the entire authentication process.

There are several other factors we need toconsider to ensure the attack is effective andefficient. First, the detection service of a spycamera app must be launched beforehand, byeither tempting the user to run the app or regis-tering an ACTION_BOOT_COMPLETEDreceiver to launch when booting is finished. TheRECEIVE_BOOT_COMPLETED permission isa commonly requested permission that wouldnot be considered dangerous. Second, pollingtask lists frequently leads to extra consumptionof energy resource. To improve the efficiency of

scanning, the detection service is active onlywhen a user is using the phone. As mentionedbefore, this can be determined by screen status.The detection service will cease when the screenis off and continue when the screen lights upagain. Moreover, the scanning frequency shouldbe set properly. In a phishing attack [8], a mali-cious app needs to poll the running task listevery 5 ms to prevent the user from noticing thata new window (the fake app) has replaced theoriginal one. In our phone camera attack, theview is totally translucent to users, so that worryis unnecessary. However, we still need to keepthe frequency at around two scannings per sec-ond; otherwise, the attack may happen after theuser starts entering the passcode (which makesthe attack unsuccessful).

THE SCREEN UNLOCKING ATTACKIn this subsection, we discuss another type ofattack. The attack is launched when a user isentering a screen unlocking passcode. We cate-gorize this scenario as a different attack modelsince it is unnecessary to hide the camera pre-view under this circumstance.

To achieve privacy, an Android system wouldnot show the user interface until a visitor provesto be the device owner by entering the correctcredential. This accidentally provides a shield forspy camera attacks targeted at the screen unlock-ing process. Users never know that the camera is

Figure 2. Demo of the real-time monitoring attack: a) overall view of thephone environment; b) scene captured by phone camera.

(a)

(b)



working, even though the camera preview isright beneath the unlocking interface.

We demonstrate the screen unlocking pass-code inference attack. Its difference from theapplication-oriented attack is the condition tolaunch the attack and the time to stop. Intuitive-ly, the attack should start as soon as the screenturns on and should end immediately as thescreen is unlocked. This can be achieved in twokey steps:• Registering a BroadcastReceiver to receive

ACTION_SCREEN_ON when a user lightsup the screen and begins the unlocking pro-cess

• Registering another BroadcastReceiver toreceive ACTION_USER_PRESENT when apasscode is confirmed and the screen guardis gone

The second step guarantees that the camera ser-vice would stop recording and end itself immedi-ately when the user interface is switched on. Inaddition, the attack should consider the situation

with no screen locking passcode. To avoid beingexposed, the spy camera app should check key-guardmanager with the isKeyguardLocked() func-tion to make sure the screen is locked beforelaunching the attack.

To simplify the screen unlocking process, theAndroid system provides alternative authentica-tion methods in addition to the conventionalpassword: pattern and PIN. A pattern is a graph-ical passcode composed of a subset of a 3 × 3grid of dots that can be connected in an orderedsequence. There are some rules for the combina-tion of dots:• The number of dots chosen must be at least

4 and no more than 9.• Each dot can be used only once.A PIN is a pure-digit passcode with lengthranging from 4 to 16, and repetition is allowed.Both alternatives are extensively used in screenunlocking of Android phones. The relativelylarger distance between adjacent keys effective-ly relieves a user’s eye fatigue problem. How-ever, this also brings vulnerability tovideo-based passcode inference attacks sincethe larger scale of eye movement makes theattack easier.

VIDEO-BASED EYE TRACKING TECHNIQUESIn the eye tracking field, two types of imagingapproaches are commonly used: visible andinfrared spectrum imaging. Visible spectrumimaging passively utilizes the ambient lightreflected from the eye, while infrared spec-trum imaging is able to eliminate uncontrolledspecular reflection with active infrared illumi-nation. Although infrared spectrum eye track-ing is more accurate, most smartphones todayare not equipped with infrared cameras.Hence, we focus on visible spectrum eye track-ing. For images captured by visible spectrumimaging, often the best feature to track is thecontour between iris and sclera known as thelimbus [9].

Li et al. [9] propose the Starburst eye trackingalgorithm, which can track the limbus of the eye.As we can see from Fig. 4a, in visible spectrum,they can locate where the eye is looking in areal-time manner. However, Starburst requirescalibration by manually mapping between eye-position coordinates and scene-image coordi-nates. This can be performed only by the phoneowner, which makes it infeasible in spy cameraattacks.

Aldrian [10] presents a method to extractfixed feature points from a given face in visiblespectrum, which is based on the Viola Jonesadaboosted algorithm for face detection. But itis able to track pupil movement without sceneimage and calibration, as shown in Fig. 4b. Weadopt this eye tracking algorithm in our researchto extract eyes from videos.

IMPLEMENTATION AND EVALUATIONWe have implemented the remote-controlledreal-time monitoring and passcode inferenceattacks on real phones including the Nexus S4G (Andriod 4.1), Galaxy Nexus (Android 4.2),and Nexus 4 (Android 4.3 with SecurityEnhanced support). For passcode inference

Figure 4. Demo of existing eye tracking techniques: a) Starbust eye trackingdemo; b) fast eyetracking demo.

(a)

(b)

Figure 3. Different types of passcodes: a) password; b) pattern; c) PIN.

(a) (b) (c)



attacks, a computer vision technique for eyetracking is used to process the captured video.The evaluation of the feasibility and effective-ness of the attacks is based on the experimen-tal results.

IMPLEMENTATIONBoth camera-based attacks are successfullyimplemented on Android phones equippedwith a front-face camera. The spy camera appsare completely translucent to phone users andwork without causing any abnormal experi-ences. When WiFi access is enabled, the cap-tured data is transmitted to the attacker via alocal HTTP server or email. To test the stealth-iness of the attacks, we install two popularantivirus apps: AVG antivirus and NortonMobile Security. Neither of the two antivirusapps has reported warning during the entirevideo capturing and transmission process. Thisdemonstrates their resistance to mobile anti-virus tools.

FEATURE ANALYSIS OF THEPASSCODE INFERENCE ATTACK

An important feature that enhances the effec-tiveness of a passcode inference attack is that itcan be launched repeatedly, which allows certainpasscodes to be “attacked” many times. In thisway, an attacker could get a set of possible pass-codes and keep launching attacks until the cor-rect one is found.

The passcode inference attack depends onthe victim’s eye movement instead of analyzingvideos containing the screen [4] or its reflection[5], which makes it harder to achieve high andstable one-time success rates. In addition, thereare complex factors that may influence its per-formance, such as the distance between face andphone, lighting conditions, velocity of eye move-ments, pause time on each key, and head/deviceshaking when typing. Among these experimentalconditions, only the lighting condition can bekept constant during our experiments.

Table 1. Passcode inference results for four-digit passcodes.

322320

361

360

362

363

364

365

366

367

368

369

324326328330332 334336338

Real Psscd Eye movement

155150

320

318

322

324

326

328

330

332

334

336

160 165 170 175 180

Eye movement

320

420418416414412410408406404402400

325 330 335 340

Eye movement

1459

Real Psscd

1687

Real Psscd

1450

Possible Psscds

1459

Possible Psscds

168716857168587

Possible Psscds

145014582569

308354

364365

363362361360359358357356355

310 312 314 316 318 320 334332395

404405

403402401

400399398397

396

336 338 340 342 344 346 170

378

376

374

372

370

368

366

364

175 180 185

1486 1479 18561486147861786

1479 185614856

372

370

368

366

364

362

322 324 326 328 330 332 334 336 184378

387388

386385384

383382381380

379

186 188 190 192 194 308

386

384

382

380

378

376

374

372

310312314316318320322324326

1359 2548 1793

13591365913589136589123591236591235891236589

25483659

17931452256347855896

314340

350

348

346

344

342

316 318 320 322 324 326 324338

344

345

343

342

341

340

339

325326 327328 329330331332 318

380

375

370

365316 320322324326328330332334314

1953 2856 1759195315953

285625856174514745

175914759

310

356

354

352

350

348

346

344

315 320 325 170

372374

370368366364362360358356354

175 180 185 190 142

387

386

385

384

383

382

381

380

388

144 146 148 150140

4734 1490 159547344753447354475354

14901790 1595

300389

397

398

396

395

394

393

392

391

390

302 304 306 308 310 156154412

419

420

418

417

416

415

414

413

158 160 162 164 260

830

835

825

820

815

810

805270 280 290 300250

2450 1741 1865

24502480245835693469

174114741285225852508558085396336963

18651895106510981095



To test the effectiveness of the passcodeinference attacks with different types of pass-codes, we use the conventional password, pat-tern, and PIN in our experiments. By comparingthe rules of pattern and PIN, we find that pat-tern combination is actually a subset of PIN. Inaddition, the outlines of the two passcodes aresimilar (both are squares). Hence, we presenttheir results and discuss their performancetogether. Another consideration for experimentsis the length of pattern and PIN. In fact, peoplerarely use long PINs and complex patterns sincethey are hard to memorize and impractical forfrequent authentications such as screen unlock-ing. This can be best illustrated by Apple iOS’sfour-digit PIN for screen unlocking. Hence, inour experiments we choose a four-digitpattern/PIN for testing.

PERFORMANCE EVALUATIONWe process videos containing user eye move-ment with the aforementioned computer visiontechnique [10]. Due to the tight configuration ofthe virtual keyboard and limitation of visiblespectrum imaging, the performance of inferringa conventional password is poor and unstable.However, the possibility of compromising pat-terns and PINs is shown to be much higher. Inour evaluation, 18 groups of 4-digit passcodeswere tested, and the results are listed in Table 1.

In Table 1, each group consists of three com-ponents: real passcode (Real Psscd), eye move-ment, and possible passcodes (possible Psscds).Since the shape of the 9-dot pattern keypad and

10-digit PIN keypad is similar to a square, theresults of eye movement are drawn in a square.Therefore, position projection can be used toinfer input keystrokes.

We find that in some cases, the correct pass-code can be inferred accurately, while in othercases, it is in a small group of possible pass-codes. For example, from the first row in Table1, passcode 1459 can be directly inferred, while1687 and 1450 both have three candidates. Theattacker could further narrow down the possiblepasscode set by launching more attacks and find-ing out the intersection. Furthermore, when theowner is not using the phone, the attacker maytry different possible passcodes and see whichone works.

COUNTERMEASURESIn this section, we discuss possible countermea-sures that can protect Android phones againstthese spy camera attacks.

In an Android system, no application pro-gramming interface (API) or log file is availablefor a user to check the usage of a camera device.Hence, detection of camera-based attacksrequires modification to the system. We makechanges to the CheckPermission() function ofActicityManagerService and write a lightweightdefense app such that whenever a camera isbeing called by apps with CAMERA permission,the defense app will be informed along with thecaller’s Application Package Name. The Appli-cation Package Name is a unique identifier inAndroid, and third party apps cannot reuse thename of built-in apps like a Camera(com.android.gallery3d). By looking at the appname, we are able to identify the built-in cameraapp (that is known to be safe), and no alert willbe generated.

Then we design a further checking mecha-nism for third party camera-based apps. Analyz-ing activity pattern is an effective approach inmalware detection. For each type of spy cameraattack, we are able to extract a specific featurefrom its activity pattern. The activity pattern ofspy camera apps are totally different from legiti-mate camera apps. To avoid collision in the useof cameras, a remote-controlled real-time moni-toring attack runs when the screen is off. Theapplication-oriented passcode inference attacklaunches immediately after another app runs.The screen unlocking attack runs when thescreen turns on but remains locked. The defenseapp is able to decide the dynamic launch patternof camera related apps by polling the task list. Ifa camera app calls a camera in one of the abovesituations, the defense app gives warnings to thephone user.

There are three parts of warnings in ourdefense scheme. First, an alert dialog includingthe name of the suspicious app is displayed. Incase the warning message cannot be seen imme-diately by the user (e.g., the user is not using thephone), the defense app will also make soundand vibration to warn the user of spy cameraattacks. Besides, the detailed activity pattern ofsuspected apps are logged so that the user cancheck later. As shown in Fig. 5, the spy cameraapp named com.example.as_bakvideo_ lock calls

Figure 5. Defense against spy camera attack.

The defense app is

able to decide the

dynamic launch

pattern of camera

related apps by

polling the task list.

If a camera app calls

camera in one of the

above situations, the

defense app would

give warnings to the

phone user.


IEEE Communications Magazine •March 2014 87

the camera as soon as Facebook is launched.This process is detected by the defense app, anda warning message with its name is displayedbefore the user enters his/her credentials.

CONCLUSIONIn this article, we study camera-related vulnera-bilities in Android phones for mobile multimediaapplications. We discuss the roles a spy cameracan play to attack or benefit phone users. Wediscover several advanced spy camera attacks,including the remote-controlled real-time moni-toring attack and two types of passcode infer-ence attacks. Meanwhile, we propose an effectivedefense scheme to secure a smartphone from allthese spy camera attacks. In the future, we willinvestigate the feasibility of performing spy cam-era attacks on other mobile operating systems.

ACKNOWLEDGMENTThis work was supported in part by the U.S.National Science Foundation under grants CNS-0963578, CNS-1022552, CNS-1065444, CNS-1116644, and CNS-0958477.

REFERENCES[1] Y. Zhou and X. Jiang, “Dissecting Android Malware:

Characterization and Evolution,” IEEE Symp. Securityand Privacy 2012, 2012, pp. 95–109.

[2] R. Schlegel et al., “Soundcomber: A Stealthy and Con-text-Aware Sound Trojan for Smartphones,” NDSS,2011, pp. 17–33.

[3] N. Xu et al., “Stealthy Video Capturer: A New Video-Based Spyware in 3g Smartphones,” Proc. 2nd ACMConf. Wireless Network Security, 2009, pp. 69–78.

[4] F. Maggi, et al.,“A Fast Eavesdropping Attack againstTouchscreens,” 7th Int’l. Conf.Info. Assurance andSecurity, 2011, pp. 320–25.

[5] R. Raguram et al., “ispy: Automatic Reconstruction ofTyped Input from Compromising Reflections,” Proc.18th ACM Conf. Computer and Commun. Security,2011, pp. 527–36.

[6] “Android-eye,” https://github.com/Teaonly/android-eye, 2012.

[7] “Nanohttpd,” https://github.com/NanoHttpd/nanohttpd.

[8] A. P. Felt and D. Wagner, “Phishing on Mobile Devices,”Proc. WEB 2.0 Security and Privacy, 2011.

[9] D. Li, D. Winfield, and D. Parkhurst, “Starburst: AHybrid Algorithm for Video-Based Eye Tracking Com-bining Feature-Based and Model-Based Approaches,”IEEE Computer Soc. Conf. Computer Vision and PatternRecognition — Workshops, 2005, p. 79.

[10] P. Aldrian, “Fast Eyetracking,” http://www.math-works.com/matlabcentral /fileexchange/25056-fast-eye-tracking, 2009.

BIOGRAPHIESLONGFEI WU ([email protected]) is a Ph.D. candidatein the Department of Computer and Information Sciencesat Temple University under the supervision of Dr. XiaojiangDu. He received his B.E. degree in communication engi-neering from Beijing University of Posts and Telecommuni-cations, China, in 2012. His research interests includesmartphone security and wireless networks.

XIAOJIANG (JAMES) DU [SM] ([email protected]) is an associateprofessor in the Department of Computer and InformationSciences at Temple University. His research interests aresecurity, cloud computing, wireless networks, and comput-er networks and systems. He has published over 100 jour-nal and conference papers. He has been awarded morethan $3 million in research grants from the U.S. NSF andArmy Research Office. He is a Life Member of ACM.

XINWEN FU ([email protected]) is an associate professorin the Department of Computer Science, University of Mas-sachusetts Lowell. He obtained his Ph.D. (2005) in comput-er engineering from Texas A&M University. His currentresearch interests are in network security and privacy, anddigital forensics.He has published papers in conferencessuch as IEEE S&P, ACM CCS, and ACM MobiHoc; and injournals such as ACM/IEEE Transactions on Networking. Hisresearch is supported by NSF.

DU_LAYOUT_Layout 3/4/14 4:02 PM 7

security threats to mobile multimedia applications: camera...

Documents