Imagine a phone bug or room bug that listens for spoken keywords and
sends a remote attacker a notification and an audio file containing
the relevant part of the desired conversation.
-Ed
http://www.thinq.co.uk/2011/1/20/android-trojan-captures-credit-card-details/
Android Trojan captures credit card details
Spoken or typed
20 January, 2011
A team of security researchers has created a proof-of-concept Trojan
for Android handsets that is capable of listening out for credit card
numbers - typed or spoken - and relaying them back to the
application's creator.
The team, comprised of Roman Schlegel from the City University of Hong
Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and
Xiao Feng Wang from the Indiana University Bloomington, call their
creation 'Soundminer' - and its implications are far-reaching.
Software released for Android devices has to request permissions for
each system function it accesses - with apps commonly requesting
access to the network, phone call functionality, internal and external
storage devices, and miscellaneous hardware functions such as the
backlight, LED, or microphone. These requests are grouped into
categories and presented to the user at the point of installation -
helping to minimise the chance of a Trojan slipping by.
Soundminer takes a novel approach to these restrictions, by only
requesting access to 'Phone calls,' to read phone state and identity,
'Your personal information,' to read contact data, and 'Hardware
controls' to record audio - none of which will ring alarm bells if the
app is marketed as a voice recording tool.
Once installed, however, Soundminer sits in the background and waits
for a call to be placed - hence the access to the 'Phone calls'
category. When triggered by a call, the application listens out for
the user entering credit card information or a PIN and silently
records the information, performing the necessary analysis to turn it
from a sound recording into a number.
The software works for both spoken numbers, as requested by some
voice-activated IVR systems and by human operators, and numbers typed
into the virtual dialpad on the phone - recognising the DTMF tones and
translating them back into numbers again.
As Soundminer doesn't have access to the 'Network communication'
category, it's unable to transmit the data it captures - relying on a
second app, called Deliverer, which exists purely to relay the data to
the attacker.
Predicting that this kind of attack could take place, Google has made
it difficult for two applications to transfer data to each other
without the user knowing about it. Working around this, the team found
that if they used Soundminer to modify hardware settings such as
backlight timeout and ring volume, the Deliverer app could read those
settings back without arousing suspicion - a covert back-channel that
makes fooling the user significantly easier.
In the team's research paper (PDF), they suggest a defence mechanism
against Soundminer: an intermediary layer that analyses input from the
microphone before passing it to an application, able to detect credit
card numbers and prevent their transmission to Soundminer-like Trojans.
The researchers are due to present their findings at next month's
Network & Distributed System Security Symposium in San Diego, but if
that's too far away - geographically or temporally - you can check out
a video of Soundminder in action below.
It's been a bad day for Android, as earlier we reported on an exploit
that turns a handset running the OS into a USB snooping device.
Received on Sat Mar 02 2024 - 00:57:24 CST