Team develops a simple defense for complex smartphone malware (w/ video)

Feb 28, 2013 by Kevin Storr

(Phys.org)—University of Alabama at Birmingham (UAB) researchers have developed simple but effective techniques to prevent sophisticated malware from secretly attacking smartphones. The Tap-Wave-Rub (TWR) methods – tapping, waving a hand over or rubbing the phone's proximity sensor – are being presented at the 6th Association for Computing Machinery Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'13) April 17-19, 2013, in Hungary, Budapest.

The designers say the TWR system will turn the 's weakest security component, the user, into its strongest defender.

"The most fundamental weakness in mobile device security is that the security decision process is dependent on the user," says Nitesh Saxena, Ph.D., the director of the Security and Privacy In Emerging computing and networking Systems (SPIES) lab and assistant professor of computer and at UAB. "For instance, when installing an app, the user is prompted whether or not the application should have permissions to access a given service on the phone. The user may be in a rush or distracted, or maybe it is the user's kid who has the phone. Whatever the case may be, it is a well-known problem that people do not look at these warnings; they just click 'yes.'"

It is this weakness of the human user that malicious entities exploit. For example, a writer whose goal is to make hidden phone calls or texts to premium rate numbers may hide a within a simple tic-tac-toe app. When prompted at the time of installing this game app, pressing "yes" would allow the game to make phone calls.

Attackers create a phone or text number that charges large sums of money for use. The malware then triggers a program that asks your mobile device to call or text that number. Such malware is already prevalent, and researchers and practitioners anticipate this and other forms of malware to become one of the greatest threats affecting millions of smartphone users in the near future.

Accepting terms on computers and smartphones is habitual repetition, and hackers with mal intent know this; they can leverage a user's vulnerability to, among other things, make a harmless-looking game dangerous.

TWR works by using the proximity sensor that comes standard in most smartphones. These sensors, for example, save power by turning the screen off when a phone is near the user's ear.

TWR methods help verify the user's desire to voice dial or message, or access any other resource on the phone, by requiring the user to tap, wave their hand over or rub the sensor before actions are executed. By means of a TWR gesture, the device basically captures the user's intent to perform an action. In the absence of this gesture, when a malicious app attempts to dial a phone number, the device will simply block it. The strength of this malware defense lies in its simplicity and broad applicability to different forms of constantly evolving malware.

Saxena's team carefully chose tapping, waving and rubbing because they are the least likely movements to be replicated accidentally. In other words, the device will be less likely to confuse any of those motions during daily activities such as walking, dropping the phone or playing a video game.

"We purposely designed the TWR program to not involve yes/no and to force people to stop for a moment and think about whether or not the action requested by the phone is what they really would like their mobile device to perform," Saxena said.

There is a disclaimer.

"Any mechanism may not guarantee 100 percent safety, as there is always a little chance of error," Saxena said. "You must also pay attention to what you are downloading and what permissions are granted at the time of installation to fully protect yourself."

UAB graduate student Babins Shrestha, a researcher in the SPIES Lab who coauthored the article, will present the paper at WiSec'13.

"There are anti-virus applications available for but, unlike our method, they are ineffective, eat up your phone's resources and cannot keep up with new strains of malware," Shrestha said.

UAB undergraduate student Justin Harrison has also been involved with the project, integrating the TWR gestures with the voice dialing service. The project team, which is funded by the National Science Foundation and includes researchers from University of Michigan-Dearborn, also developed an implicit gesture mechanism—"phone tapping"—explicitly geared for protecting near field communication (NFC) transactions. These usually require the user to tap their phone with a payment terminal or another phone. This gesture is detected using the phone's accelerometer, which is also standard on all smartphones.

Explore further: Messaging app seeks to bring voices back to phones

More information: www.sigsac.org/wisec/WiSec2013/

Related Stories

Cyber-security expert finds new flaw in smartphones

Feb 24, 2012

Just as U.S. companies are coming to grips with threats to their computer networks emanating from cyber-spies based in China, a noted expert is highlighting what he says is an even more pernicious vulnerability in smartphones.

Apple kicks SMS scam fraudsters to the curb

Dec 14, 2012

(Phys.org)—Just what you never wanted. Mac-based malware, just ponder that phrase alone, not Windows-based but Mac-based, that tricks users into paying subscription fees. The malware masquerades as an installer ...

Stealth game steals info from Android sensors

Apr 24, 2012

(Phys.org) -- No joke. A proof-of-concept application for phones running Android pretends to be a fun challenge asking the user to identify identical icons from a bunch of images. All the while the app monitors ...

Recommended for you

Where's the app for an earthquake warning?

22 hours ago

Among the many things the Bay Area learned from the recent shaker near Napa is that the University of California, Berkeley's earthquake warning system does indeed work for the handful of people who receive its messages, but ...

Hit 'Just Dance' game goes mobile Sept. 25

Sep 18, 2014

Smartphone lovers will get to show off moves almost anywhere with the Sept. 25 release of a free "Just Dance Now" game tuned for mobile Internet lifestyles.

Indie game developers sprouting at Tokyo Game Show

Sep 18, 2014

Nestled among the industry giants at the Tokyo Game Show Thursday are a growing number of small and independent games developers from Asia and Europe, all hoping they are sitting on the next Minecraft.

Review: Ambitious 'Destiny' lacks imagination

Sep 18, 2014

Midway through "Destiny," the new science fiction epic from "Halo" creators Bungie, a smug prince is musing on the hero's desire to visit a mysterious site on Mars.

User comments : 6

Adjust slider to filter visible comments by rank

Display comments: newest first

gwrede
1 / 5 (2) Feb 28, 2013
Elementary psychology, dear Watson. But it's good to know that somebody uses it to help us. Kudos.
antialias_physorg
2 / 5 (2) Mar 01, 2013
What stops malware from sending a TWR-event? (i.e. how does the security software distinguish a call to a TWR-method made by software as opposed to a call from the TWR method due to electric impulses from the sensor?)

It's a method that will work for a while. But it seems rather trivial to dupe if he malware has acess to driver level functionality.
trekgeek1
not rated yet Mar 01, 2013
What stops malware from sending a TWR-event? (i.e. how does the security software distinguish a call to a TWR-method made by software as opposed to a call from the TWR method due to electric impulses from the sensor?)



Immediately what I thought. You can just write the malware so that it tells the phone that it received the "go ahead" signal. You'd have to do this on a hardware level. Have a small LED hardwired to the transceiver circuitry so that it lights up when it is active. Nothing software mask-able; a straight wire to LED circuit. Maybe a signal sent to your speaker for a brief moment that beeps to indicate a call has started, in case it is not in sight. To disable this feature, a jumper setting in the batter compartment, that way no software can alter it.
dbsi
not rated yet Mar 01, 2013
Maybe a signal sent to your speaker for a brief moment that beeps to indicate a call has started, in case it is not in sight. To disable this feature, a jumper setting in the batter compartment, that way no software can alter it.


This is not very secure either.
... malware options with high success percentage:
> make the calls during deepest sleep period
> make calls in noisy environments
> mask it with alarms

trekgeek1
not rated yet Mar 01, 2013
Maybe a signal sent to your speaker for a brief moment that beeps to indicate a call has started, in case it is not in sight. To disable this feature, a jumper setting in the batter compartment, that way no software can alter it.


This is not very secure either.
... malware options with high success percentage:
> make the calls during deepest sleep period
> make calls in noisy environments
> mask it with alarms



Maybe redesign the transmitter so it needs a discrete to enable operation. Make this discrete purely hardware driven. Dial a number, press send, then have to press a button on the side of the phone to allow the transmitter to send data. No masking through software.
dbsi
not rated yet Mar 02, 2013
We could end up, having a hardware interrupt for every security critical function and need to check the data iffec Lilly send or The number effectively dialed. Another serious problem is, thaf almost every application requests full internet access, access to your phone and personal data...and you don't really know why. You either accept all or you can't use it at all.