New Android “sensory malware” listens in, steals financial data

Posted 10 February 2011 00:00 CEST by wconeybeer

Most Android tablet and smartphone owners are aware by now that there are malware applications that can steal sensitive data by recording a user’s keystrokes as they enter information like passwords and credit card numbers. Newer, more sophisticated malware, however, has the ability to lie in wait until a user is speaking potentially “high-value information”, and then will covertly transmit snippets of that data into the hands of cyber-thieves.

One such “sensory malware” application has been created by researchers from Indiana University in Bloomington and the University of Hong Kong. Dubbed Soundminer, the application has the ability to monitor Android users’ phone calls and steal account numbers spoken or entered via the number pad. The mechanisms it uses to do this, however, are much more sophisticated that you might expect.

Soundminer innocently asks users for permission to access their handset’s microphone, something that most people likely wouldn’t think twice about granting. It does not, however, ask for permission to access the smartphone’s network, though it can still transfer small amount of information along a “covert channel” to another app called Deliverer. That application will then transmit the data to a remote server.

Here’s where it starts to get really interesting.

The context of a phone conversation can be predicted and fingerprinted under some circumstances, which enables an efficient analysis to extract a small amount of high-value information from the conversation,” the researchers paper explains. “ A prominent example is one’s interaction with an automatic phone menu service, also known as interactive voice response (IVR) system, which is routinely provided by customer service departments of different organizations (e.g., credit-card companies). The detailed steps of such an interaction were found to be easily recognizable in our research, from a small set of features of the conversation and related side-channel information. As a result, sensitive data such as credit-card numbers can be accurately identified at a small cost.”

Because the resulting files are so small, they are easily transmitted without any noticeable effects that may arouse suspicion.

The paper goes on to describe in great detail how the sound recording, tone recognition, and “covert channels” work.  The researchers have also posted a Soundminer demonstration video on YouTube.

So how does one avoid apps like Soundminer and Deliverer?

The research team reported that they tested VirusGuard from SMobile Systems and Droid Security’s AntiVirus, and neither had the ability to identify the threat even as it was actively recording audio or uploading data. In fact, the team states that “no existing defenses work on Soundminer,” however they have designed a “defensive architecture” that does have the ability to foil the malware.

Perhaps the most disturbing part of this story is Google’s reaction. When contacted by CNET, company officials in London emailed what seems to be their standard answer for such inquiries: “If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device.”

As we continue to be more “connected” as a global society, we will begin to see more of these types of threats. Security measures obviously need to be set to a higher standard by manufacturers that develop these devices, as well as by the companies who are running the app stores.

New Member
Posted on: 10 Feb 11 00:35
Potentially every piece of stored information can be accessed by someone who isn't authorized or who means harm or intends to steal information or money.

They best response if for O/S builders to acknowledge this and ensure that through open market, appropriate applications are available to thwart these attempts. Also, O/S builders should do everything reasonably possible to plug security holes and encourage the reporting of such holes. Hackers are going to find them, encourage them to turn in the problem, reward them if necessary.
0 Agree

Blown to smitherines
Posted on: 10 Feb 11 02:14
This is verty simple to fix -> Skype / Phone programs have EXCLUSIVE access to the microphone when active.

0 Agree

MyCE Rookie
Posted on: 10 Feb 11 16:42
I don't know why Android get singled out with storys like this, it's not like apple scans for malware they only check for the looks of an app, that it runs nicely and is within the app store guidelines.
Various ios apps have been found to have a secret code to enable extra features like taking a photo with the volume buttons or proxy tethering.

the difference is Android shows you what permissions an app wants iphone doesn't, if you ignore the permission android shows you that's your problem.

These story's are really about AntiVirus devs scaring people into buy their wares, do you find antivirus on ios?, no because apple won't let them.
0 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post. settings

Several settings at can be changed, they are stored in cookies, which means they will be reset if you clear cookies


Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here


Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page