@inproceedings{fa153b773d6444a6acf184bcecebdb8a,
title = "Who activated my Voice Assistant?: a stealthy attack on Android phones without users{\textquoteright} awareness",
abstract = "Voice Assistant (VAs) are increasingly popular for human-computer interaction (HCI) smartphones. To help users automatically conduct various tasks, these tools usually come with high privileges and are able to access sensitive system resources. A comprised VA is a stepping stone for attackers to hack into users{\textquoteright} phones. Prior work has experimentally demonstrated that VAs can be a promising attack point for HCI tools. However, the state-of-the-art approaches require ad-hoc mechanisms to activate VAs that are non-trivial to trigger in practice and are usually limited to specific mobile platforms. To mitigate the limitations faced by the state-of-the-art, we propose a novel attack approach, namely Vaspy, which crafts the users{\textquoteright} “activation voice” by silently listening to users{\textquoteright} phone calls. Once the activation voice is formed, Vaspy can select a suitable occasion to launch an attack. Vaspy embodies a machine learning model that learns suitable attacking times to prevent the attack from being noticed by the user. We implement a proof-of-concept spyware and test it on a range of popular Android phones. The experimental results demonstrate that this approach can silently craft the activation voice of the users and launch attacks. In the wrong hands, a technique like Vaspy can enable automated attacks to HCI tools. By raising awareness, we urge the community and manufacturers to revisit the risks of VAs and subsequently revise the activation logic to be resilient to the style of attacks proposed in this work.",
keywords = "Android, Smartphone, Software security, Systems security, Voice Assistant",
author = "Rongjunchen Zhang and Xiao Chen and Sheng Wen and James Zheng",
year = "2019",
doi = "10.1007/978-3-030-30619-9_27",
language = "English",
isbn = "9783030306182",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer, Springer Nature",
pages = "378--396",
editor = "Xiaofeng Chen and Xinyi Huang and Jun Zhang",
booktitle = "Machine Learning for Cyber Security",
address = "United States",
note = "2nd International Conference on Machine Learning for Cyber Security, ML4CS 2019 ; Conference date: 19-09-2019 Through 21-09-2019",
}