New Android “sensory malware” listens in, steals financial data

Posted 10 February 2011 00:00 CET by wconeybeer

Most Android tablet and smartphone owners are aware by now that there are malware applications that can steal sensitive data by recording a user’s keystrokes as they enter information like passwords and credit card numbers. Newer, more sophisticated malware, however, has the ability to lie in wait until a user is speaking potentially “high-value information”, and then will covertly transmit snippets of that data into the hands of cyber-thieves.

One such “sensory malware” application has been created by researchers from Indiana University in Bloomington and the University of Hong Kong. Dubbed Soundminer, the application has the ability to monitor Android users’ phone calls and steal account numbers spoken or entered via the number pad. The mechanisms it uses to do this, however, are much more sophisticated that you might expect.

Soundminer innocently asks users for permission to access their handset’s microphone, something that most people likely wouldn’t think twice about granting. It does not, however, ask for permission to access the smartphone’s network, though it can still transfer small amount of information along a “covert channel” to another app called Deliverer. That application will then transmit the data to a remote server.

Here’s where it starts to get really interesting.

The context of a phone conversation can be predicted and fingerprinted under some circumstances, which enables an efficient analysis to extract a small amount of high-value information from the conversation,” the researchers paper explains. “ A prominent example is one’s interaction with an automatic phone menu service, also known as interactive voice response (IVR) system, which is routinely provided by customer service departments of different organizations (e.g., credit-card companies). The detailed steps of such an interaction were found to be easily recognizable in our research, from a small set of features of the conversation and related side-channel information. As a result, sensitive data such as credit-card numbers can be accurately identified at a small cost.”

Because the resulting files are so small, they are easily transmitted without any noticeable effects that may arouse suspicion.

The paper goes on to describe in great detail how the sound recording, tone recognition, and “covert channels” work.  The researchers have also posted a Soundminer demonstration video on YouTube.

So how does one avoid apps like Soundminer and Deliverer?

The research team reported that they tested VirusGuard from SMobile Systems and Droid Security’s AntiVirus, and neither had the ability to identify the threat even as it was actively recording audio or uploading data. In fact, the team states that “no existing defenses work on Soundminer,” however they have designed a “defensive architecture” that does have the ability to foil the malware.

Perhaps the most disturbing part of this story is Google’s reaction. When contacted by CNET, company officials in London emailed what seems to be their standard answer for such inquiries: “If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device.”

As we continue to be more “connected” as a global society, we will begin to see more of these types of threats. Security measures obviously need to be set to a higher standard by manufacturers that develop these devices, as well as by the companies who are running the app stores.

Related content