There’s malware that can steal your social networks and now there’s malware that can steal your virtual world in order to steal from your in-real-life-world as well. Military researcher Robert Templeman from the Naval Surface Warfare Center in Crane, Indiana, and a team from Indiana University, created a super creepy Android app called PlaceRaider; it runs in the background on the Android 2.3, Gingerbread operating system. The sensory malware covertly taps into the phone’s camera to capture photos which attackers can stitched together to recreate a 3D image of the victim’s surroundings and then steal any sensitive information in view. This new “threat to the privacy and physical security of smartphone users” was dubbed “virtual theft.”
Malware that utilizes a smartphone’s sensors to steal sensitive information from the target’s physical environment has previously been developed. Soundminer monitors phone calls and steals credit card numbers either spoken or entered onto the keypad. Another example uses a smartphone accelerometer; spiPhone eavesdrops on the sound of your fingers typing on the keyboard to detect pairs of keystrokes and determine what you're typing. The creators of PlaceRaider, a “novel visual malware,” said sensor malware that remotely exploits a mobile phone’s camera has been “understudied.”
According to the abstract of PlaceRaider: Virtual theft in physical spaces with smartphones:
Through completely opportunistic use of the camera on the phone and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments. Remote burglars can thus download the physical space, study the environment carefully, and steal virtual objects from the environment (such as financial documents, information on computer monitors, and personally identifiable information). Through two human subject studies we demonstrate the effectiveness of using mobile devices as powerful surveillance and virtual theft platforms, and we suggest several possible defenses against visual malware.
To test if the visual malware would work and capture images other than the ceiling or a person’s pocket, the Indiana University team handed out infected Android phones to a group who was unaware of the malware. Not only were they able reconstruct 3D models of the users’ surroundings, they were able zoom in and commit “virtual burglary,” meaning they could steal credit card numbers, checks, calendars, documents and other sensitive information such as from a computer screen – anything that the camera could pick up on in the users’ environment. If you carry your phone to the bedroom or somewhere while you were undressing, it would expose a lot more than your documents to an attacker.
So the user was not alerted, the research team avoided surreptitiously taking videos as the battery drain might be noticed. Instead, the malicious mobile app muted the camera shutter as it took random images, and then stamped the time and location on each photo. The camera snapped one picture every two seconds. The software automatically deleted any blurry or dark images that were below the quality threshold before uploading them to the PlaceRaider command and control server. While most Androids have camera resolutions above 8 megapixels, as seen in the image below, they opted for a lower resolution of 1 megapixel to avoid the additional cost to handle and store all that extra data.
Templeman wrote [PDF], “PlaceRaider thus turns an individual's mobile device against him- or herself, creating an advanced surveillance platform capable of reconstructing the user's physical environment for exploration and exploitation.”
Malware such as PlaceRaider could be wrapped and hidden away within another otherwise legitimate app. “These remote services can run in the background, independent of applications and with no user interface.” Although the researchers used the Android platform for the visual malware, they said, “we expect such malware to generalize to other platforms such as iOS and Windows Phone.”
One of the suggested defenses was to check any app permissions before installing, but the researchers said if PlaceRaider was embedded in a camera app, then it would not require escalating privileges. A camera app would ask for the same permissions as the Trojan needed.
Templeman concluded, “We conceptualize a mode of attack where opportunistically collected data is used to build 3D models of users' physical environments. We demonstrate that large amounts of raw data can be collected and define novel approaches that can be used to improve the quality of data that is sent to the attacker. We offer PlaceRaider, an implementation of a virtual theft attack and through human subject studies demonstrate that such attacks are feasible and powerful.”
Remotely exploiting your smartphone camera is certainly scary stuff that could wreak destruction on both a privacy and security level while it covertly steals a person blind. During an interview about the visual malware app on 720 WGN, security researcher Apu Kapadia said PlaceRaider made him paranoid about his phone. Yet when he looked, he couldn't find any smartphone camera covers. If this gets out in the wild, maybe there would be a market for that . . . or else people might use a tiny piece of masking tape?
If interested, you can download the PlaceRaider cryptography and security research paper from Cornell University Library.
Image courtesy of School of Informatics and Computing at Indiana University