CyberWire Daily - Android device eavesdropping investigation. [Research Saturday]
Episode Date: September 15, 2018 A team of researchers from Northeastern University and UC Santa Barbara examined over 17,000 Android apps, and revealed a number of alarming privacy risks. Elleen Pan and Christo Wilson were memb...ers of the research team, and they join us to share what they found. The research is titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications. It can be found here: https://recon.meddle.mobi/papers/panoptispy18pets.pdf  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
There's this persistent rumor that our smartphones are surveilling us.
That's Christo Wilson. He's an associate professor at Northeastern University in the computer science department.
In a few moments, we'll also hear from Eileen Pan.
She's one of the co-authors of the research and a recent graduate of Northeastern University.
of the research and a recent graduate of Northeastern University. The research we're discussing today is titled Panoptispy, Characterizing Audio and Video Exfiltration
from Android Applications. I don't know if it's clear where this started, but I would say that
this is probably a rational fear. These are very powerful devices. We know they have mics and cameras and that apps can use those sensors.
And we also know that a lot of data is collected from these devices for the purposes of advertising.
You know, this is why apps are free. So the idea that the mic would be turned on,
or the camera would be turned on, and, you know, information harvested for ad purposes,
it seems plausible.
Yeah. And I think we also have these uncanny feelings that with all of this ad tracking that
you'll find yourself browsing for something, shopping for something, and then it seems as
though that product follows you around on the internet. Yeah, absolutely. So retargeted ads,
the kind that you're describing that are a specific product that follows you around, they're kind of creepy.
And everyone has seen this.
So you decided to follow up on this.
Take us through what was your approach?
We wanted to get a lot of apps and we also wanted to broadly cover what apps were doing in terms of different apps from different stores.
That's Eileen Pan.
We took 17,000 apps that were asking for camera and audio permissions. And then
we ran automated experiments on them and collected the network traffic in order to see whether
this type of media exfiltration was happening. And at the end of it, we ended up not finding audio being exfiltrated, but we did find
some other stuff like screen recordings and some unexpected photo exfiltration as well.
So let's dig into it some here. Take me through the gathering up of the devices and the types of
techniques you use to test them out. So we have a closet full of Android phones
that are automated testbed.
And then we go to the various app stores
and we grab the most popular applications
from different categories.
You know, as Aline said, about 17,000 of them.
So then one at a time, those apps get sent to a test phone
and there's a program that interacts with
it. So it clicks on buttons, it types on the keyboard, it tries to access different screens,
and that happens for about five minutes. And in the background, we're recording everything the
app is doing. So everything that is sent over the network and the recipient of all of this information. So most of the stuff that gets sent
is just text. But what Eileen did is she developed a way to extract the video and audio and images
that were potentially getting sent out. So anytime an app tried to send something,
we would get a copy and we would know who sent it and who they were sending it to.
And what kind of apps are we talking about here? Does it run the gamut?
Yeah, so it's everything that's popular in the App Store across every category.
So all the top social networking apps, there's probably some games in there,
note-taking apps, weather apps, Uber, everything that's popular in the store, basically.
I think that many people, their focus is on Facebook specifically,
that they feel as though they've reached the conclusion that Facebook is listening in on them.
The story that you hear is that I was discussing a vacation to Hawaii,
and suddenly in Facebook up popped flights to Hawaii or travel sites or things like that. Did you look specifically
at Facebook? We did, but the caveat is that Facebook is easily one of the most complicated apps
probably in the entire app store. So what were you able to do and what were the conclusions that
you came to? So we tested Facebook the same way we tested everybody. We automatically run it and
interact with it. But for example, we didn't log in. So if Facebook only records after you've
signed in, we would not have triggered that. Now, did you do anything with playing audio files
in a room to see if those audio files got then sent out? So they were sitting in a room and there was some
ambient activity. We also kind of pre-loaded the phones with content. So there were images,
videos, and audio clips already kind of sitting there. And we were waiting to see if the app
would notice those and try to send those as well. And so when you're looking at the phones and the
kinds of things that they're sending back,
what specifically was being trafficked? So in terms of all traffic, we saw a lot of text,
as mentioned before. But with media specifically, we saw some photos and videos. And a lot of the
photos, they were intentionally sent. So it was part of the app's purpose to send these pictures
home based on like sharing or other intentional activity in the app. But we manually validated
all the media that was sent out to ensure the ones that we claimed were leaks were actually leaks.
For example, there was a small number of apps that say they do photo editing. And
the assumption from a user would
be that this is local, right? You edit the photo and add filters on your phone. But actually what
they're doing is they take the image and send it to a server. The processing is done remotely,
and then they send you the result back. This was either not disclosed or it was buried deep in a
privacy policy where no person would ever see it.
In addition to that, some of them don't have indication that they're using any type of
internet services, so like social media sharing or posting on a feed. And so it's really reasonable
to expect that the user would have no idea that the photo is leaving their device.
And we also found some that were not encrypted over the internet.
So eavesdroppers could basically take a look at the network
and see other people's pictures.
The other disturbing case study we found was this library
that's targeted for developers to help debug their apps.
So this library was essentially doing screen recording.
So you would open an app.
Everything you did in that app would be streamed to a third party for analytics and debugging purposes.
But this is, of course, not disclosed to the user.
There's no indication that everything on the screen is being recorded and sent.
It's equivalent to essentially someone looking over your shoulder and watching everything you do in this app.
It's equivalent to essentially someone looking over your shoulder and watching everything you do in this app.
Now, were there any examples where the apps were clearly up to no good, that there was foul play going on?
I would say no.
We were initially sort of concerned that we were going to find really malicious apps, things that were spying on people,
really invasive kinds of recording like people have found in the past with things like Silverpush. And we really didn't see that. You know, there
were these kind of omissions where the app could have been clearer about its design. And then there
was the screen recording, which, you know, if I'm being honest, there's legitimate reasons why
a developer would want some of that information to help debug.
But again, it's creepy that it's not being disclosed and it shouldn't be happening to everyone all the time.
So we often hear about, I think the common example is like a flashlight app that when you install it,
it asks for permission to use your microphone and your camera and access all of your data and all of your contacts.
And, you know, the joke is, well, why would a flashlight app need to know all those sorts of things?
But you did not run into that sort of thing where, for example, a flashlight app would be, you know, sending all of your personal information to a server halfway around the world.
So there are definitely apps that are over-provisioned, right?
The flashlight that asks for every conceivable
data source on your phone. But you're right, that flashlight and the other apps in our data set,
we did not see them engaging the camera or the mic in a way that a user would not be expecting,
you know, just to surveil them. Now, the work that you did, you were looking at Android
only. Was there any look into anything on iOS? So iOS is unfortunately complicated. We did not
look at iOS. It's just much harder to do the kind of testing because it's not open source and it's
very locked down. But that said, the capabilities for the things that we saw, those capabilities
are also available in iOS.
So for example, the library we found that was recording the screen, there's a version of that
library for iOS. So these things are almost certainly happening there on iPhone as well.
Right. So you're able to extrapolate the likelihood that these sorts of things are
happening on that side as well. Exactly.
So what is the future here for you?
The conclusions that you've come to and where do you go from here?
So one direction that we're definitely focused on is IoT.
Very similar set of concerns that you have this microphone sitting in your living room
or a smart TV, right?
And it's watching you and listening to you. And do you
really know where that data is going? Do you really know when it's listening? These are very legitimate
concerns. We essentially have a studio apartment in our lab space that's an IoT lab. It's just
full of devices. And then we have boxes more after Prime Day coming.
So we're going to be looking at those very closely to see how they're recording,
how they interact with each other, where that data is going, because that's the frontier.
So for folks in terms of protecting themselves, what are your recommendations?
Yeah, so this is a tricky question because you have
limited ability to stop apps from doing things once they're installed. I guess the high level
advice is just think twice before you install apps. Do you really need best, brightest flashlight?
Because anytime you install these apps and grant them permission even if the app itself
isn't malicious it can come with third-party code that that may be do you understand this impulse
that people have this reaction this sense that they feel as though their phones are listening
to them even if they might not be oh absolutely it doesn't help that companies like facebook have
these patent applications for systems that would do exactly this. And there have been cases in the past where apps were caught turning the mic on and surveilling without the user's consent or knowledge.
There was a recent case where a soccer app was engaging the mic to see if the user was around an illegal broadcast of a game.
So these concerns are valid.
Plus, you then have the targeted advertising issue, which is very creepy.
And the phone is always there.
So when you talk about a vacation to Hawaii and then you get that ad for Hawaii, it doesn't seem like a coincidence.
Right.
It's very easy to infer that something happened.
Even though it may not have happened the way that you're sort of connecting the dots in your mind.
Yeah. So one thing to think about is, is audio transcription technology really that accurate?
You know, for anyone who's used Siri or Google Assistant, I think we all get the sense that they're not really that great yet. So the idea that the easiest way to get your data would
be to surveil your audio, that's a bit of a stretch. The other thing is that we don't really
realize how much data we give away routinely just through our actions online.
Every time you're searching, every time you're browsing, every time you're clicking, all
of that's being collected and then put through machine learning algorithms to infer things
about you.
If you're going on travel sites or you're searching for day trips in Hawaii, it's not
hard to infer your interest in Hawaiian plane flights.
Yeah. And even tracking your location, an app like Facebook knows where you are and
what events you might be interested in and your other friends and your friends list who are at
the same place at the same time. There's certainly a lot of things that they can put together without
needing to listen to you.
Absolutely. You may not be the one doing the searches for vacations, let's say, but if your friend is or your partner is, it's so easy to connect that to you. What's the bottom line here
for those who are out there with these concerns that primarily Facebook and many of the other
apps may be listening to them? Do you say maybe not such a big concern?
So I would say that right now, this is not as big a concern as people think.
The idea that you're constantly being surveilled by your phone is probably not true.
Now, that doesn't mean there won't be apps in the future or corner cases where apps are malicious and this happens.
the apps in the future or corner cases where apps are malicious and this happens. But in general,
sort of writ large, there's other things you should be more concerned about.
Eileen, what's your take on this? What conclusions did you have?
Yeah, I definitely feel the same way that there is just a lot of ways that companies track us other than the microphone. And in that way, I just feel like I should be more mindful
of my activity online or just how I'm being tracked in those ways and not as specifically
concerned about my phone listening to me, but just being aware of my privacy as a whole.
One thing that's worth mentioning is, you know, in cases where we did find apps that were not disclosing things, right, we did responsible disclosure to those companies.
We also responsibly disclosed all of this to Google.
So Google issued a statement saying that they've taken appropriate action against some of these apps, specifically ones that were recording the screen.
So this was a case where
some direct good came out of the research.
Our thanks to Krista Wilson and Eileen Pan from Northeastern University.
The research is titled Panoptispy, Characterizing Audio and Video Exfiltration from Android
Applications. We'll have a link in the show notes of this episode. characterizing audio and video exfiltration from Android applications.
We'll have a link in the show notes of this episode.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.