Who activated my Voice Assistant? a stealthy attack on Android phones without users’ awareness

Rongjunchen Zhang, Xiao Chen, Sheng Wen, James Zheng

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

9 Citations (Scopus)

Abstract

Voice Assistant (VAs) are increasingly popular for human-computer interaction (HCI) smartphones. To help users automatically conduct various tasks, these tools usually come with high privileges and are able to access sensitive system resources. A comprised VA is a stepping stone for attackers to hack into users’ phones. Prior work has experimentally demonstrated that VAs can be a promising attack point for HCI tools. However, the state-of-the-art approaches require ad-hoc mechanisms to activate VAs that are non-trivial to trigger in practice and are usually limited to specific mobile platforms. To mitigate the limitations faced by the state-of-the-art, we propose a novel attack approach, namely Vaspy, which crafts the users’ “activation voice” by silently listening to users’ phone calls. Once the activation voice is formed, Vaspy can select a suitable occasion to launch an attack. Vaspy embodies a machine learning model that learns suitable attacking times to prevent the attack from being noticed by the user. We implement a proof-of-concept spyware and test it on a range of popular Android phones. The experimental results demonstrate that this approach can silently craft the activation voice of the users and launch attacks. In the wrong hands, a technique like Vaspy can enable automated attacks to HCI tools. By raising awareness, we urge the community and manufacturers to revisit the risks of VAs and subsequently revise the activation logic to be resilient to the style of attacks proposed in this work.

Original languageEnglish
Title of host publicationMachine Learning for Cyber Security
Subtitle of host publicationSecond International Conference, ML4CS 2019 Xi’an, China, September 19–21, 2019 Proceedings
EditorsXiaofeng Chen, Xinyi Huang, Jun Zhang
Place of PublicationCham Switzerland
PublisherSpringer
Pages378-396
Number of pages19
ISBN (Electronic)9783030306199
ISBN (Print)9783030306182
DOIs
Publication statusPublished - 2019
Externally publishedYes
EventInternational Conference on Machine Learning for Cyber Security 2019 - Xi'an, China
Duration: 19 Sept 201921 Sept 2019
Conference number: 2nd
https://link.springer.com/book/10.1007/978-3-030-30619-9 (Proceedings)

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume11806
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceInternational Conference on Machine Learning for Cyber Security 2019
Abbreviated titleML4CS 2019
Country/TerritoryChina
CityXi'an
Period19/09/1921/09/19
Internet address

Keywords

  • Android
  • Smartphone
  • Software security
  • Systems security
  • Voice Assistant

Cite this