CodeTracker: A Lightweight Approach to Track and Protect Authorization Codes in SMS Messages.

Short message service (SMS) authorization codes play an important role in the application ecosystem, as a number of transactions (e.g., personal identification and online banking) require users to provide a code for authorization purposes. However, authorization codes in SMS messages can be stolen and forwarded by attackers, which introduces serious security concerns. In this paper, we propose CodeTracker, a lightweight approach to track and protect SMS authorization codes. Specifically, we leverage the taint tracking technique to mark the authorization code with taint tags at the origin of the incoming SMS messages (taint sources), and then, we propagate the tags in the system. To this end, we modify the related array structure, array operations, string operations, inter-process communication mechanism, and file operations for secondary storage of SMS authorization codes to ensure that the taint tags cannot be removed. When the authorization code is sent out via either SMS messages or network connections (taint sinks), we extract the taint tag of the data and enforce pre-defined security policies to prevent the code from being leaked. We have developed a prototype of CodeTracker on Android's ART virtual machine and used 1, 218 SMS-stealing Android malware samples to evaluate the system. The evaluation results show that CodeTracker can effectively track and protect SMS authorization codes with a small performance overhead (<2% on average).