Android phones can be identified and tracked in several ways without the user's consent or knowledge. Malicious apps can extract identifiers like IMEI and IMSI and send this data to attackers. They can also secretly record audio through the microphone and transmit the recordings remotely. Demonstration malware showed how it could retrieve phone identifiers over a network and record then send audio to a command server. Users are advised to carefully review permission requests from apps and avoid installing untrusted programs.

1. Android Phone Identifiers and
Eavesdropping Audio
李士暄
2014/7/41

2. Reference
• A Study of Android Application Security.
– Pennsylvania State University
– William Enck, Damien Octeau, Patrick McDaniel,
and Swarat Chaudhuri.
• Soundcomber: A Stealthy and Context-Aware
Sound Trojan for Smartphones.
– Indiana University Bloomington
– Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala,
Apu Kapadia, XiaoFeng Wang
2

3. Introduction – Phone Identifiers
3
Identifiers Desciption
SIM (Subscriber
Identity Module)
A SIM card is a smart card that identifies the subscriber,
the service provider, and the mobile phone number.
PIN (personal
identification number)
A numeric password for SIM card that can be used to
authenticate the user to the system. (Default : 0000 or
1234)
IMEI (International
Mobile Equipment
Identity)
An unique number that identifies each mobile device. It
is 15 digits numbers. When a phone is reported stolen or
is not type approved, the number is marked invalid.
(Enter : *#06#)
IMSI (International
Mobile Subscriber
Identity)
An IMSI is a unique number that identifies user. It is also
15 digits long. Key Identification(KI) is an unique
password for each IMSI.
ICCID (Integrated
Circuit Card Identifier)
An ICCID is a unique number that identifies SIM card. It is
20 digits long number.

4. Introduction
• Phone identifiers are frequently leaked through
plaintext requests.
– Most sinks are HTTP GET or POST parameters
• Phone Identifier are used as device fingerprint.
– Not only phone identifers, but also other properties
– OS version, device hardware , application name,
platform
• IMEI is tied to personally identifiable
information(PII)
– Include IMEI in account registration and login request.
E.g. Line、Whatsapp
4William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. Pennsylvania State University.
A Study of Android Application Security

5. Threats
• WhatsApp Password : an inverse of your phones IMEI
number with an MD5 cryptographic hash
1. Attacker develop an faked app and let user fill in their
personal information in registration part.
2. Silently sends the victims IMEI number & phone
number to his server in the background.
3. A hacker creates database/file with IMEI numbers
with associated phone numbers.
4. A spammer buys this information from an app
developer.
5

6. Sequence diagram of attacker scenario for
WhatsApp application
6

7. Demo
• App : Siminfo
• <uses-permission
android:name="android.permission.READ_PHONE_STATE" />
• Android.telephony.TelephonyManager
• getDeviceId() // Get IMEI
• getSimSerialNumber() // Get ICCID
• getSubscriberId() //Get IMSI
• Socket Programming
7

8. Demo : Siminfo
8
1. Server 開啟，等待Client連線
2. Client輸入完資料按【submit】，透過socket方式
傳送給 IP為: 192.168.1.1 的Server
3. 同時將該手機的IMEI、ICCID、IMSI 傳給Server

9. Eavesdropping Audio
• A Trojan with access to the video camera or
microphone can
– tape a user’s phone conversations
– send the recording to other parties , which
enables remote surveillance
– We refer to as sensory malware
• Malware : Android/NickiSpy
– record user telephone conversations
– store them in the SD card memory
9

10. Android/NickiSpy
• Once the malware is installed, it requests the
following permissions from the user:
10
Latest Android Malware Records Conversations By McAfee Labs on Aug 09, 2011
http://blogs.mcafee.com/mcafee-labs/latest-android-malware-records-conversations

11. Android/NickiSpy
• After installing the application and rebooting,
the device will start the following services in
the background:
11
Latest Android Malware Records Conversations By McAfee Labs on Aug 09, 2011
http://blogs.mcafee.com/mcafee-labs/latest-android-malware-records-conversations

12. Android/NickiSpy
• AndroidManifest.xml
12
Latest Android Malware Records Conversations By McAfee Labs on Aug 09, 2011
http://blogs.mcafee.com/mcafee-labs/latest-android-malware-records-conversations

13. Android/NickiSpy
• The malware drops a configuration file onto
the phone.
– This file has all the information the app needs
including the command server and port number
through which it communicates.
13
Latest Android Malware Records Conversations By McAfee Labs on Aug 09, 2011
http://blogs.mcafee.com/mcafee-labs/latest-android-malware-records-conversations

14. Android/NickiSpy
• The malware recorded the conversation and
stored it on the compromised phone’s SD card.
14
Latest Android Malware Records Conversations By McAfee Labs on Aug 09, 2011
http://blogs.mcafee.com/mcafee-labs/latest-android-malware-records-conversations

15. Android/NickiSpy
• The malware also retrieves the IMEI number
of the compromised mobile device
– And sends that information to the mobile number
“15859268161″
15
Latest Android Malware Records Conversations By McAfee Labs on Aug 09, 2011
http://blogs.mcafee.com/mcafee-labs/latest-android-malware-records-conversations

16. Demo
• App: RecordAudio
• <uses-permission
android:name="android.permission.RECORD_AUDIO" />
• <uses-permission
android:name="android.permission.INTERNET" />
• Socket Programming
16

17. Demo: RecordAudio
17
1. Server開啟，等待Clinet連線
2. Client開始App後，自動連上Server(IP:192.168.1.1)
3. Server端下指令 : start(client端開始錄音)
4. Server端下指令 : stop (Client端停止錄音)
5. Client將錄音檔傳送給Server，並放在桌面上

18. Comments
• Android is highly dangerous!!!
• Users should never install unknown or
untrusted applications on their mobile devices.
– Do not checked Setting > Security > unknown
sources
• Pay attention to those unrelated permissions
that are requested when you install app.
18