Soundminder Android Trojan Hears Credit Cards 164
Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."
Re:How many people will this actually affect? (Score:3, Interesting)
Mitigation is simple, but ignored (Score:4, Interesting)
In the team's research paper (PDF), they suggest a defence mechanism against Soundminer: an intermediary layer that analyses input from the microphone before passing it to an application, able to detect credit card numbers and prevent their transmission to Soundminer-like Trojans.
This is possible, but why not take it one step farther (and simpler) and just make an event handler that lets you know what is going on when. These apps all work WITHIN the security construct of the Android OS. They don't even have to exploit code defects or undermine system permissions for this to work; they ask the user if the app is allowed to record (possibly during phone calls) and if its also allowed to send data (possibly right after a phone call). The user doesn't put two and two together, allows the activity and doesn't give it a second thought.
Interlude: This isn't a problem just with "ok-mashing lusers" who blindly accept permissions on anything that comes along. You might want an app with the ability to record voice calls (for security, quality assurance, etc.) and you might want that app to also be able to send data to the internet so it can upload the audio, or something similarly useful. What even the smartest of the smart users don't have any visibility over is the actual source code of all of these apps, to make sure that the app is *only* doing what you want it to. Even astute users, who do everything right except for misplacing their trust in the app developer, can fall for this attack.
Solution: Introduce an event handling feature that can be set up to notify users of possibly malicious activity. If you are paranoid, you will check all the boxes off and be notified when "a third party app is recording while the phone is active", "a third party app is backgrounded and sending data to an internet service and is not on the whitelist", etc. etc. etc. This way you can tell if some random app you didnt even think you were using at the time happened to get ahold of some data you didnt want it to have, and sent it off to a collection server. Is it going to stop the activity? No. Is it going to give the average user who pays attention to their phone but doesn't have the time/wherewithal to do code audits on every app they have installed? YES.