Security researchers have come up with a very scary proof-of-concept bit of Android malware that shows how, even if you’re very careful about what access rights you grant to apps, you may still find yourself vulnerable.
The attack, prepared by a group consisting of personnel from the City University of Hong Kong and Indiana University Bloomington, is made up of two separate trojan apps. One uses the processing power of your phone to steal data from you in a way that you might not have thought possible, while the other takes advantage of Android’s design to ferry that data off your phone without detection. The team calls its creation Soundminer.
The first half of the attack goes after your phone’s voice connection. Usually, we think of cyber-thieves using keyloggers or network sniffers to steal account details, and assume that voice calls are generally safe. By masquerading as an app that helps you record parts of calls, to use as voice memos later, the trojan tricks you into letting it listen-in. Then it uses a combination of DTMF touch-tone decoding along with voice recognition to identify any credit card numbers you say or enter.
Since both apps are supposed to look legit, the first one doesn’t ask you for permissions to use the network, making it seem like whatever data is collected would be stuck on your phone. The second app, called Deliverer, can appear to be anything that would have a legitimate need to use wireless network access. In order to get your credit card numbers from the first app to the second, the pair manipulates commonly-accessible Android settings, hiding the transport of the data in that manipulation. Think about it like this: you could send a secret message to someone you never meet by visiting the same room, one after the other. By adjusting the ceiling fan on each visit to high, medium, or low speed, based on a pre-determined pattern, you could share information between the two of you without actually leaving any messages in the room.
If nothing else, Soundminer serves as reminder that, even when you follow all good advice for limiting app permissions, and use your head about spotting suspicious app behavior, you’re ultimately putting your trust in the app’s author not to do anything nefarious.