Smartphones running Android try to prevent the sort of viruses and Trojans that plague PCs by carefully walling off which of the phones’ features and data applications can access. But one team of researchers has demonstrated that a clever piece of malware can listen through the walls–literally.
Six researchers at Indiana University and the City University of Hong Kong have created a proof-of-concept program called Soundminer (PDF here) that’s capable of using a phone’s mic to listen out for credit card numbers. When a user either speaks or types their credit card’s digits into the phone, Soundminer parses the audio file, interprets the numbers, and sends them to another app that passes them on to a remote server.
Here’s a video of Soundminer in action.
The idea behind the team’s work, which they plan to demonstrate at the Network & Distributed System Security Symposium in San Diego next month, is that a smart user wouldn’t grant an untrusted application access to his or her web browsing or keyboard, where it could snoop on credit card information being entered into banking website or another application. But few users would suspect an app that asks only for access to the phone’s microphone. In fact, permission to access the microphone on an Android device is included under “Hardware Controls” that allow access to all audio settings. Even a seemingly harmless alarm clock application for Android asks for that privilege, as the researchers show in the video above.
Sneakier yet: Soundminer doesn’t even ask for access to the phone’s network to transmit its stolen data. Instead, the team writes in a paper that it uses a “covert channel” that allows the app to transmit small amounts of data to other applications. In Soundminer’s case, those bits are sent to another application called Deliverer, which is designed only to relay the data on to the hacker. The researchers suggest that the second, delivery application could be automatically installed by the first in a single package download.
The covert channels that the researchers identify include the phone’s vibration, volume, and screen wake-up settings, all of which are shared with other applications when they’re changed. By tweaking those settings in a certain pattern, Soundminer sends a simple secret code to Deliverer, which in turn passes it on to the hacker. And because Soundminer extracts the credit card number from the audio track rather than transmit the entire file, it only has to share 16 digits with Deliverer, easily small enough for its subtle communications to the other malicious app.
I’ve contacted Google to hear their thoughts on this ultra-clever malware and the potential security vulnerability it represents. I’ll update when I hear back from them.
The Indiana and Hong Kong researchers’ work is intended to make phones more secure, not steal financial data. So their paper also includes suggestions for how Android, or users, might protect data from the microphone-based attack. Those fixes include turning off the audio feedback on the phone’s dialing buttons, and also implementing more specific permissions on apps that would make it clearer to users when a program asks for suspicious access to the mic.
Soundminer strikes me as a remarkable hack, and the researchers’ paper is chock full of interesting sleights-of-hand. Check out the full PDF here.
(Hat tip to Chris Wysopal of Veracode for spotting this.)
Six researchers at Indiana University and the City University of Hong Kong have created a proof-of-concept program called Soundminer (PDF here) that’s capable of using a phone’s mic to listen out for credit card numbers. When a user either speaks or types their credit card’s digits into the phone, Soundminer parses the audio file, interprets the numbers, and sends them to another app that passes them on to a remote server.
Here’s a video of Soundminer in action.
The idea behind the team’s work, which they plan to demonstrate at the Network & Distributed System Security Symposium in San Diego next month, is that a smart user wouldn’t grant an untrusted application access to his or her web browsing or keyboard, where it could snoop on credit card information being entered into banking website or another application. But few users would suspect an app that asks only for access to the phone’s microphone. In fact, permission to access the microphone on an Android device is included under “Hardware Controls” that allow access to all audio settings. Even a seemingly harmless alarm clock application for Android asks for that privilege, as the researchers show in the video above.
Sneakier yet: Soundminer doesn’t even ask for access to the phone’s network to transmit its stolen data. Instead, the team writes in a paper that it uses a “covert channel” that allows the app to transmit small amounts of data to other applications. In Soundminer’s case, those bits are sent to another application called Deliverer, which is designed only to relay the data on to the hacker. The researchers suggest that the second, delivery application could be automatically installed by the first in a single package download.
The covert channels that the researchers identify include the phone’s vibration, volume, and screen wake-up settings, all of which are shared with other applications when they’re changed. By tweaking those settings in a certain pattern, Soundminer sends a simple secret code to Deliverer, which in turn passes it on to the hacker. And because Soundminer extracts the credit card number from the audio track rather than transmit the entire file, it only has to share 16 digits with Deliverer, easily small enough for its subtle communications to the other malicious app.
I’ve contacted Google to hear their thoughts on this ultra-clever malware and the potential security vulnerability it represents. I’ll update when I hear back from them.
The Indiana and Hong Kong researchers’ work is intended to make phones more secure, not steal financial data. So their paper also includes suggestions for how Android, or users, might protect data from the microphone-based attack. Those fixes include turning off the audio feedback on the phone’s dialing buttons, and also implementing more specific permissions on apps that would make it clearer to users when a program asks for suspicious access to the mic.
Soundminer strikes me as a remarkable hack, and the researchers’ paper is chock full of interesting sleights-of-hand. Check out the full PDF here.
(Hat tip to Chris Wysopal of Veracode for spotting this.)
No hay comentarios:
Publicar un comentario