Soundminer Android Trojan Is A Frightening Look At Security Holes


Security researchers have come up with a very scary proof-of-concept bit of Android malware that shows how, even if you’re very careful about what access rights you grant to apps, you may still find yourself vulnerable.

The attack, prepared by a group consisting of personnel from the City University of Hong Kong and Indiana University Bloomington, is made up of two separate trojan apps. One uses the processing power of your phone to steal data from you in a way that you might not have thought possible, while the other takes advantage of Android’s design to ferry that data off your phone without detection. The team calls its creation Soundminer.

The first half of the attack goes after your phone’s voice connection. Usually, we think of cyber-thieves using keyloggers or network sniffers to steal account details, and assume that voice calls are generally safe. By masquerading as an app that helps you record parts of calls, to use as voice memos later, the trojan tricks you into letting it listen-in. Then it uses a combination of DTMF touch-tone decoding along with voice recognition to identify any credit card numbers you say or enter.

Since both apps are supposed to look legit, the first one doesn’t ask you for permissions to use the network, making it seem like whatever data is collected would be stuck on your phone. The second app, called Deliverer, can appear to be anything that would have a legitimate need to use wireless network access. In order to get your credit card numbers from the first app to the second, the pair manipulates commonly-accessible Android settings, hiding the transport of the data in that manipulation. Think about it like this: you could send a secret message to someone you never meet by visiting the same room, one after the other. By adjusting the ceiling fan on each visit to high, medium, or low speed, based on a pre-determined pattern, you could share information between the two of you without actually leaving any messages in the room.

If nothing else, Soundminer serves as reminder that, even when you follow all good advice for limiting app permissions, and use your head about spotting suspicious app behavior, you’re ultimately putting your trust in the app’s author not to do anything nefarious.

Source: THINQ

Via: Slashdot

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!