As the Internet of Things (IoT) continues to evolve, smartphones have become essential components of IoT systems. However, with the increasing amount of personal information stored on smartphones, user privacy is at risk of being compromised by malicious attackers. Although malware detection engines are commonly installed on smartphones against these attacks, attacks that can evade these defenses may still emerge. In this paper, we analyze the return values of system calls on Android smartphones and find two never-disclosed vulnerable return values that can leak fine-grained user behaviors. Based on this observation, we present EavesDroid, an application-embedded side-channel attack on Android smartphones that allows unprivileged attackers to accurately identify fine-grained user behaviors (e.g., viewing messages and playing videos) via on-screen operations. Our attack relies on the correlation between user behaviors and the return values associated with hardware and system resources. While this attack is challenging since these return values are susceptible to fluctuation and misalignment caused by many factors, we show that attackers can eavesdrop on fine-grained user behaviors using a CNN-GRU classification model that adopts min-max normalization and multiple return value fusion. Our experiments on different models and versions of Android smartphones demonstrate that EavesDroid can achieve 98% and 86% inference accuracy for 17 classes of user behaviors in the test set and real-world settings, highlighting the risk of our attack on user privacy. Finally, we recommend effective malware detection, carefully designed obfuscation methods, or restrictions on reading vulnerable return values to mitigate this attack.

翻译：随着物联网的持续发展，智能手机已成为物联网系统的重要组成部分。然而，随着智能手机存储的个人信息日益增多，用户隐私面临被恶意攻击者泄露的风险。尽管智能手机普遍安装了恶意软件检测引擎以防范此类攻击，但能够规避这些防御手段的攻击仍可能出现。本文分析了安卓系统调用返回值，发现两个此前未披露的可泄露细粒度用户行为的脆弱返回值。基于此发现，我们提出EavesDroid——一种针对安卓智能手机的应用程序嵌入式侧信道攻击，该攻击使无特权攻击者能够通过屏幕操作精确识别细粒度用户行为（如查看消息、播放视频）。该攻击依赖于用户行为与硬件及系统资源返回值之间的相关性。由于这些返回值易受多种因素影响而产生波动和错位，攻击极具挑战性；我们证明，采用最小-最大归一化和多返回值融合的CNN-GRU分类模型，攻击者仍可窃听细粒度用户行为。在不同型号和安卓版本的智能手机实验中，EavesDroid在测试集和真实场景下对17类用户行为的推理准确率分别达到98%和86%，凸显了该攻击对用户隐私构成的威胁。最后，我们建议通过有效的恶意软件检测、精心设计的混淆方法或限制脆弱返回值的读取来缓解此类攻击。