Malware is a burgeoning threat for smartphones and continuing advancing. Traditional defenses to malware, however, are not suitable for smartphones due to their resource intensive nature. This necessitates the design of novel mechanisms that can consider the specifics of the smartphone malware and smartphones themselves. In this paper, we introduce a lightweight permission enforcement approach-Tap-Wave-Rub (TWR)-for smartphone malware prevention. TWR is based on simple cyber-physical human interactions, i.e., human gestures, that are very quick and intuitive but less likely to be exhibited in users' daily activities. Presence or absence of such gestures, prior to accessing an application, can effectively inform the OS whether the access request is benign or malicious. In particular, we present the design of two mechanisms: 1) acceleration-based phone tapping detection and 2) proximity-based finger tapping, rubbing, or hand waving detection. The first mechanism is geared for near field communication applications, which usually require the user to tap her phone with another device. The second mechanism involves very simple gestures, i.e., tapping or rubbing a finger near the top of phone's screen or waving a hand close to the phone, and broadly appeals to many applications (e.g., SMS). In addition, we present the TWR-enhanced Android permission model, the prototypes implementing the underlying gesture recognition mechanisms, and a variety of novel experiments to evaluate these mechanisms. Our results suggest the proposed approach could be very effective for malware detection/prevention, with quite low false positives and false negatives, while imposing little to no additional burden on the users.