Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone

摘要

Previous research about sensor based attacks on Android platform focusedmainly on accessing or controlling over sensitive device components, such ascamera, microphone and GPS. These approaches get data from sensors directly andneed corresponding sensor invoking permissions. This paper presents a novel approach (GVS-Attack) to launch permissionbypassing attacks from a zero permission Android application (VoicEmployer)through the speaker. The idea of GVS-Attack utilizes an Android system built-invoice assistant module -- Google Voice Search. Through Android Intentmechanism, VoicEmployer triggers Google Voice Search to the foreground, andthen plays prepared audio files (like "call number 1234 5678") in thebackground. Google Voice Search can recognize this voice command and executecorresponding operations. With ingenious designs, our GVS-Attack can forgeSMS/Email, access privacy information, transmit sensitive data and achieveremote control without any permission. Also we found a vulnerability of status checking in Google Search app, whichcan be utilized by GVS-Attack to dial arbitrary numbers even when the phone issecurely locked with password. A prototype of VoicEmployer has been implementedto demonstrate the feasibility of GVS-Attack in real world. In theory, nearlyall Android devices equipped with Google Services Framework can be affected byGVS-Attack. This study may inspire application developers and researchersrethink that zero permission doesn't mean safety and the speaker can be treatedas a new attack surface.