Sensory malware: Android app listens then steals credit card data

You are most likely being watched right now without knowing it, but it's the apps on your smartphone that may be tracking your every move. What if an app was listening too, waiting for financial data like your credit card numbers?

android.jpg

When it comes to money, nobody wants theirs stolen. The popularity of smartphones can make them security nightmares like computers were in the past - hot targets for cybercriminals armed with malware and for security researchers hunting out and exploiting vulnerabilities. Last week, at the 18th Annual Network & Distributed System Security Symposium (NDSS), an interesting and scary proof-of-concept app was presented which introduced a "new strain of smartphone malware." This stealthy "sensory malware" takes "Can you hear me now" to a whole new level.

Six researchers from the University of Hong Kong and Indiana University in Bloomington created this wickedly clever "sensory malware" called Soundminer for Google's Android mobile OS. According to their research [PDF], Soundminer monitors phone calls and steals credit card numbers either spoken or entered onto the keypad. The team wrote, "Our study shows that an individual's credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real."

Users are getting smarter about not allowing untrusted applications to have full access to their smartphone data, yet not many would think twice about granting an app permission to access the phone's microphone. Soundminer uses the mic and, in an even more devious move, does not ask for access to the smartphone network to transmit the stolen data. Instead, it uses a "covert channel" to send small amounts of data to another app called Deliverer which then sends the data on to a remote server.

The team of researchers wrote, "As sensor-rich smartphones become more ubiquitous, sensory malware has the potential to breach the privacy of individuals at mass scales."

VirusGuard and Droid Security's AntiVirus "both failed to indentify Soundminer as malware even when it was recording and uploading data," reported ComputerWorld's Jeremy Kirk. Researchers showed off Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones at NDSS. The video below is the demo for Sounderminer.

Also on the app and privacy-preserving front, four researchers from Technical University of Vienna examined how over 1,400 iPhone apps handled user data. They discovered that more than half of the apps collected and shared a device's unique identifier code which allowed users to be tracked without their knowledge. Unscrupulous companies collect the personal data to build and sell users' profiles. "More than 750 of the apps studied used some sort of tracking technology," noted Technology Review, but only 36 "blatantly compromised privacy" by accessing the iPhone's location without informing the user. Another five mined a user's address book for data without seeking permission. The research team made another interesting discovery about Apple's apps vs. Cydia apps. Apps from the "App Store were more likely to surreptitiously access user data than apps from the unpoliced Cydia repository."

In other "bad" app related news, the latest appWatchdog findings released by viaForensics warned that two email apps for Android, Exchange and Hotmail, store passwords in plain text. 17 other retail, social networking, productivity and financial apps store data unencrypted. Those financial apps include PayPal, Chase and TD Ameritrade, but the finance app for Mint failed security tests and was labeled with "sensitive data stored insecurely." 

Join the discussion
Be the first to comment on this article. Our Commenting Policies