Right before a movie starts at a theater, you are advised to avoid being a jerk by turning off your mobile phone. If you chose to ignore that, imagine if the screen’s flickering lights or music within the movie could trigger your Android to call all the other “infected” Android smartphones in the theater, shortly before they all start shrieking with a loud siren sound. That was dubbed an “annoyance attack” by security researchers at the University of Alabama at Birmingham (UAB) who developed nearly impossible-to-detect sensory methods that can trigger embedded malware in mobile phones.
We’ve all heard of subliminal messages hidden in advertisements, but most of us have not thought about “subliminal” messages to trigger malware that was dormant until it is set off by sounds from a TV, radio, music, P2P TV, or even musical greeting cards. Besides successfully using audio as a mode of transport, the researchers also used light, magnets and vibration as other trippy malware triggers.
In the paper, "Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices" [pdf], the researchers explained how sensor-based covert channels could activate malware in mobile devices from up to 55 feet away. “Malware with the capability of using such sensor-based covert channels can also open up new threats such as the creation of localized botnets and geo-targeted attacks.”
“When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the Internet as vulnerable to malware attacks,” stated UAB professor Ragib Hasan. While you probably have anti-virus or other security products installed on your phone, they only protect against traditional communications channels. “But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that.”
Security research into sensory malware is few and far between, but previous work used an Android Soundminer app that listened to phone calls and stole credit card numbers either spoken or entered onto the keypad. Another used a smartphone’s accelerometer to turn an iPhone into a spiPhone to eavesdrop and track what you type on a nearby keyboard. Other researchers created an Android PlaceRaider app for visual malware that secretly snaps a picture every two seconds. Now the UAB researchers proved the feasibility of using sensing-enabled covert channels.
Androids have all the different types of sensors needed for sensory channel attacks; these sensors run in the background as Android services. You might think you’d notice a battery drain if malware utilized those sensors, but the researchers found that the ambient light sensor and magnetometer cause virtually no change in battery life; tapping into the microphone for 10 continuous minutes consumed only 1% of battery charge. They developed a prototype Android malware app and installed it on an HTC Evo 4G smartphone running Gingerbread. Then they used “different flavors of command and control channels based on acoustic, visual, magnetic and vibrational signaling.”
The team found that using the light channel works best at night or in a dimly lit place, but could work from the lighting of a large screen TV, computer monitor or overhead lights. Attackers could use magnets attached to NFC readers to tap into a mobile phone’s magnetic sensors and activate embedded malware. The researchers discovered that “command and control trigger messages” in music could be sent over 55 feet indoors and 45 feet outdoors.
Regarding music, if there is enough bass thumping, the vibrations from a subwoofer could activate the malware. But attackers could even successfully use “low-end PC speakers with minimal amplification and low-volume.” Previously dormant malware could kick in via audio in a movie theater, or via a covert message hidden in the music playing a crowded hallway. An “embarrassment attack” would also use audio such as when “a person may be using her (infected) phone to project a presentation in a conference.” The researchers wrote, “As the person starts to speak, another infected phone in the room can trigger the phone malware (via some out-of-band channel), which would then project an embarrassing video onto the screen.”
Distraction attacks would activate the malware to play a ringtone or to vibrate in order to distract the user who is trying to perform a security task such as reading a warning, or pairing devices. Context-aware malware could also be used for an interference attack. Infected smartphones at an airport could be used as a botnet to launch a denial-of-service attack to bring down the Wi-Fi or other systems. The researchers wrote, “The infected mobile devices can selectively interfere with an aircraft radio system at the time of take-off or landing, or with the medical devices in a hospital.”
How could an Android sensing vibration be used by context-aware malware as a public safety hazard? The researchers suggested, “The malware on the phone can be triggered when the infected phone is inside a driving car; the malware may then interact with the car’s internal network and cause some serious problems. Similarly, a malware may get triggered inside a home/company and may then interfere with the home’s wireless security system – perhaps dismantle it. This will clearly prompt the possibility of theft or burglary and may endanger the lives of the inhabitants.”
The UAB researchers concluded [pdf]:
Malware using such channels will be very difficult or impossible to detect using traditional means, because such the underlying command and control channels exploit non-network air-gaps to communicate. Our proof-of-concept prototype exemplifies this emerging problem – using off-the-shelf hardware and popular Android-based mobile phones, we were able to send surreptitious command and control messages without using any wireless or cellular networks. Our prototype malware application received the messages embedded in music, video, household lighting, or magnetic fields.
Images courtesy of UAB.