Soundminer Android malware listens, then steals, phone data

Researchers have developed a sneaky piece of code that listens while a person dials in data

Researchers have developed a low-profile Trojan horse program for Google's Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software.

The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone's keypad, according to the study.

Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said.

The study was done by Roman Schlegel of City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang of Indiana University in Bloomington, Indiana.

"We implemented Soundminer on an Android phone and evaluated our technique using realistic phone conversation data," they wrote. "Our study shows that an individual's credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real."

Soundminer is designed to ask for as few permissions as possible to avoid suspicion. For example, Soundminer may be allowed access to the phone's microphone, but further access to transmit data, intercept outgoing phone calls and access contact lists might look suspicious.

So in another version of the attack, the researchers paired Soundminer with a separate Trojan, called Deliverer, which is responsible for sending the information collected by Soundminer.

Since Android could prevent that communication between applications, the researchers investigated a stealthy way for Soundminer to communicate with Deliverer. They found what they term are several "covert channels," where changes in a feature are communicated with other interested applications, such as vibration settings.

Soundminer could code its sensitive data in a form that looks like a vibration setting but is actually the sensitive data, where Deliverer could decode it and then send it to a remote server. That covert vibration settings channel only has 87 bits of bandwidth, but that is enough to send a credit card number, which is just 54 bits, they wrote.

Soundminer was coded to do the voice and number recognition on the phone itself, which avoids the need to send large chunks of data through the network for analysis, which might again trigger an alert from security software.

If it is installed on a device, users are likely to approve of the settings that Soundminer is allowed to use, such as the phone's microphone. Since Soundminer doesn't directly need network access due to its use of a covert side channel to send its information, it is unlikely to raise suspicion.

Two antivirus programs for Android, VirusGuard from SMobile Systems and Droid Security's AntiVirus, both failed to identify Soundminer as malware even when it was recording and uploading data, according to the researchers.

In an e-mail statement, Google officials in London did not directly address Soundminer but said that Android is designed to minimize the impact of "poorly programmed or malicious applications if they appear on a device."

"If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device," Google said. "Applications deemed to be in violation of our policies are removed from Market, and abusive developers can also be blocked from using the Android Market for repeated or egregious violations of our policies."

Join the PC World newsletter!

Error: Please check your email address.

Tags applicationstelecommunicationmobile securitydata breachsoftwareMobile operating systemsmobiledata protectionmalwarefraudGooglesecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?