Forgot your password?
typodupeerror
Open Source Security News

Soundminder Android Trojan Hears Credit Cards 164

Posted by CmdrTaco
from the i-heard-that dept.
Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."
This discussion has been archived. No new comments can be posted.

Soundminder Android Trojan Hears Credit Cards

Comments Filter:
  • But hey (Score:2, Insightful)

    by Pojut (1027544)

    It's Linux-based, so naturally it's secure! /sarcasm

    Note: I have a Droid Eris running Nonsensikal 15.2...so I'm certainly no Android hater.

    • by Tharsman (1364603)
      When there is no limit to what Droid Gets, well.... there is no limit to what Droid Gets. [gogadgetnews.com]
    • by 0xdeadbeef (28836)

      How is this insecure? The behavior is "as designed".

      If it isn't the behavior you thought it should be, well, perhaps you shouldn't install unsigned applications from sketchy websites that want to both access your mic and your phone log.

      • How is this insecure? The behavior is "as designed".

        Being "as designed" is irrelevant to whether something is insecure. If anything insecure by design is worse than insecure by mistake. At least you can fix a mistake.

        iPhone has this particular issue covered. A background app which is recording sound causes the status bar to turn red and the name of the application doing the recording is displayed.

    • Re: (Score:3, Insightful)

      In fairness to Linux, it still requires a moron somewhere in the equation to accomplish this feat.

    • by dudpixel (1429789)

      This is not a question of the OS, but a question of the app delivery model.

      The same trick would be possible on iOS or WP7 but the app would be less likely to be approved (although some suspect apps have been approved in the past).

  • It could watch for people dialing the numbers of (eg.) online ticket sellers then just record the conversations. There's bound to be a credit card in there.

    • by Tharsman (1364603)
      Why limit your spyware to only specific lists of phone numbers? May as well go for the virulent gold and catch any credit-card number you catch, no matter who you are giving it too. A predetermined list also would mean the virus would be forced to carry extra overhead with a database of phone numbers. Given business closing up, opening up, and plainly changing numbers, things that happen every day, the list would be obsolete very fast. An online based database would require the virus to do constant checks a
  • I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root?

    Or can the app simply request permission?

    (Disclaimer: I'm root and have cyanogen on my phone.)
    • by Imagix (695350)
      The app simply requests permission. More accurately, the app asks for permission during install time when the installer notifies the user that this app requires permissions to intercept calls.
      • by rjstanford (69735)

        So it could be bundled in with a "voice changer" app or, probably more successfully, one that randomly inserts background noise (train station, jungle, room-o-farts) into your call. For freez!

      • by Rennt (582550)
        You also have to tick a box saying:

        Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone for loss of data that may result from using these applications."

        This is a social engineering attack, not an exploit in the Android system.

    • by Jahava (946858) on Thursday January 20, 2011 @12:21PM (#34940568)

      I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root? Or can the app simply request permission? (Disclaimer: I'm root and have cyanogen on my phone.)

      The article says the application requests the following permissions:

      • Read Phone State and Identity: Used to know when your phone is calling
      • Your Personal Information: Not really used in the attack.
      • Hardware Controls (probably specifically microphone): Lets the application record audio

      There's an additional app that requests Network Capabilities; it's used to relay the data. Since the original application doesn't request those capabilities, it's less obvious (although now a second application has to be installed).

      Basically, the application masquerades as an overly-permissive "voice recorder". It registers to receive notifications when the "phone state" changes, and when you place a call it starts recording. It processes the audio and pulls out voice and touch-tone number sounds. It then passes that information to the "Deliverer" application, which forwards it to the bad guy. Two applications written by the same developer can share data, so they probably use that channel.

      The scenario is that a user will install the recorder app because they want a voice recorder, and will install the "Deliverer" app for some unrelated reason. Neither app's permissions set off any warning bells, but, together, they can steal your data.

      So no, no rooting necessary. Goes to underline the general idea - given any security fence and enough time to understand it, someone will find a way around it. It's not particularly creative or innovative - just one of those proofs-of-concept of the obvious that will get media attention. Android's permissions are a nice heads-up to the user, but you really need to know and trust the publisher before you give any of the more deadly set of permissions (e.g., hardware controls, network communication) to an app.

      • by Klync (152475)

        While "Hardware Controls" seems intuitive for the stated purpose, "Read Phone State and Identity" is fairly common, too. Almost every application will do things differently - whether operating in the foreground or background - depending on whether you are using the phone at the time. E.g. whether to play a sound or ring an alarm. This is one permission I (and I hate to admit it) would barely think twice before granting to just about any app.

      • Personally, I think Google should change the permissions. Hardware Controls should not get access to the microphone during a call - instead, it should ask for a new permission, like "Recording calls". Make it more clear for the user.

        If people install a trojan that specifically says it'll record calls, then there's not much one can do.

      • I'm sure many of us raise an eyebrow at the premissions requests, but most people do not. The biggest security flaw is the user. Most will grant any app permission to do anything.
        • This is why a closed app store is useful. Either malicious apps will be discovered at the approval stage, and never appear on the app store, or they will be removed later when a user reports an app as being malicious.

      • i believe if you read the full article you will also notice that google stated that they have thought of such a scenario of apps sharing data, so they purposefully made it difficult for them to pass data back and forth to each other. so the recording app and the deliverer app secretly share data by updating various global phone settings such as the ring volume and backlight timeout.

      • by mjwx (966435)

        asically, the application masquerades as an overly-permissive "voice recorder". It registers to receive notifications when the "phone state" changes, and when you place a call it starts recording. It processes the audio and pulls out voice and touch-tone number sounds. It then passes that information to the "Deliverer" application, which forwards it to the bad guy. Two applications written by the same developer can share data, so they probably use that channel.

        So basically all I have to do to get around thi

        • In this case, a very low success rate for voice recognition is quite acceptable. It's still useful to its creators even if it only occasionally catches a credit card number.

      • by dudpixel (1429789)

        I wonder if there is room for google to host a 2nd app store that is vetted, thereby having the best of both worlds.

        Or better, they should have a certification system for apps, so that apps market with the tick of approval are guaranteed "safe" by google.

  • But once we stop the Joker, you have to destroy this app or I, Morgan Freeman, will not be in the next movie.
  • by kellyb9 (954229) on Thursday January 20, 2011 @12:07PM (#34940376)
    ... so you better start making smarter phones and more rigorous guidelines for app store approval. Problem solved.
  • Three articles in a row casting doubt on Android in one way or the other... really, Rob?

    • by Anonymous Coward

      Yes, clearly Android must be above all criticism.

      Back in real life, Slashdot is about page views, not some juvenile war against the "bad guys".

    • by socz (1057222)
      So for the last world cup, I made for the teams we were rooting for (here in the office) Android banners! It took about a day to figure out what I was doing, but after that it went well. At first I just used backgrounds to match the colors and text for the slogan. But then I found it better/easier to use a graphic. So when our teams were playing we'd open the program and display our support on our android phones. +1 for Android!
  • by kellyb9 (954229) on Thursday January 20, 2011 @12:16PM (#34940486)
    This is just one practical application. *Puts on tin foil hat* What about a comparable government system mining for certain terrorism related keywords? I can think of 100's of more dangerous applications to this type of software, and I don’t even have to be the person who has it installed. I find that particularly frightening.
    • by delinear (991444)
      Why would the government go to the cost and effort of trying to get a few people to install this on their phones when they are almost certainly already listening to everyone's calls at the exchange.
    • by cpghost (719344)

      What about a comparable government system mining for certain terrorism related keywords?

      Governments don't need it: they already tap the backbones... But look at it the other way: how about an app that would listen on Gov't employees, and relay everything to sites like WikiLeaks et. al?

  • "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers -- typed or spoken -- and relaying them back to the application's creator. Once installed, Soundminder sits in the background"

    How does this 'trojan' get onto the handsets in th first place?
    • by The Moof (859402)
      The same way other malware gets distributed - offer some trivial software with this bundled into it. Users have a tendency to blindly give permissions without caring just to get dialogs out of their face.
  • But... this type of hack will never get into the wild on the iPhone.... ..or, if it was ever missed by their app vetting procedure, Apple could remotely shut it down anyhow.

    Remind me not to get an Android phone, if this is the type of stuff hackers are going to be distributing soon.

    --
    Possessed - my first Facebook game. Come play!. [facebook.com]

    • by Klync (152475)

      Article: "People have been known to cut themselves when using these really sharp knives. Maybe they should have additional safety features."

      You: "Yeah, but those knives wouldn't even get through the door of the prison I live in. Why doesn't everybody just live in a prison like me?"

      • The thing about a sharp knife, it looks like a sharp knife...

        The thing about a trojan running on a phone, it looks like whatever the app maker wants it to look like, probably fluffy and cute and not at all like something that's going to hurt.

        --

        Possessed - my first Facebook game. Come play! [facebook.com]

        • by AK Marc (707885)
          Reminds me of Happy99. That was the first I remember running into a working program that did what it said it would do that was also a virus (well, we didn't call them viruses at the time, but they do now). Well, aside from keygens and such that people were already wary of.
      • by jgtg32a (1173373)
        Actually a sharp knife is a safe knife, most knife injuries are from having a dull knife slip.
    • Only a threat if you are dumb enough to install it in the first place. Dumb users == owned equipment. That's always been the case. No technology is going to fix stupid behavior. This is why antivirus is useless. If antivirus is detecting things, then IT'S ALREADY TOO LATE! We want to PREVENT the infection, and proper hygiene and common sense in synergy with proper technological controls is the only way that is going to happen.

    • You are aware that Android has a kill switch too, right?
    • by I8TheWorm (645702) *

      Never. I agree. Apple has enough employees and technology to thoroughly check [iphonehacks.com] apps it allows into the app store.

      And wouldn't it be cool if Google had built in an app kill switch [readwriteweb.com] like Apple did?

      You are hereby reminded not to get an Android phone if you lack the ability to do simple web searches.

      • That an app store can't catch every malicious app before approval doesn't mean it isn't useful to catch most.

        And the Android kill switch is only for apps downloaded off Google's own marketplace. Android fans here often praise the openness of being able to install apps from anywhere. But that also means that security wise, they're fucked.

  • Aren't there still cell-phone scanners? Why would anyone enter a CC number via cell phone if anyone within cell range could be listening in or recording CC info?
  • So why isn't access to the microphone mutually exclusive? If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time. I can understand having the the OS accessibility routines having concurrent access with an app, but when you are on an actual voice connection, that should probably be exclusive access. Similarly, applications like skype should also be able to request exclusive access to the microphone.
    • by OverlordQ (264228)

      If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time.

      But how else can you get the completely awesome t-pain autotune app!

    • by I8TheWorm (645702) *

      Since I use my personal smartphone for business, I do like to record calls from time to time. An exclusive lock on the mic would prevent that.

      Other folks like voice changers, background noise apps, etc...

  • by Klync (152475) on Thursday January 20, 2011 @12:45PM (#34940902)

    Perhaps one solution to consider would be the ability to put the device into a state where nothing but the phone is running - i.e. all other apps are just blocked until the call is released. Alternatively, the phone data in / out could be sandboxed from the rest of the OS. This would be a special mode since there are legitimate uses for this (tone dialing, call recording, etc.), but should be available to switch on when needed (or take the reverse approach and have it on by default, switched off when desired).

    I'm not sure if the Android API would allow building an app for this, or if something at a lower-level would be required.... Anyway, feel free to implement this and send me the royalty cheques if you can. Just google for my banking info.

  • I don't own an Android phone so I may not be the best person to comment but it seems to me they need two Marketplaces, - or at least 2 separate areas. One area would contain apps that have gone through some testing and approval process and another that's just wide open, - all bets are off. Probably wouldn't prevent people from blaming the phone if their CC number gets stolen but at least people would know that there's an identifiable subset of apps that are malware free.
    • by I8TheWorm (645702) *

      From Google's point of view that's exactly what Android users have. The Google Marketplace where apps are vetted, and the other app stores where they may or may not be.

  • by neon-fx (777448) on Thursday January 20, 2011 @12:53PM (#34941024)
    Once again being unintelligibly Scottish comes in useful.
  • ...Android is vulnerable because it's open source [electronista.com], or so sayth the idiot CEO of Trend Micro...

  • by jeffmeden (135043) on Thursday January 20, 2011 @02:07PM (#34942148) Homepage Journal

    In the team's research paper (PDF), they suggest a defence mechanism against Soundminer: an intermediary layer that analyses input from the microphone before passing it to an application, able to detect credit card numbers and prevent their transmission to Soundminer-like Trojans.

    This is possible, but why not take it one step farther (and simpler) and just make an event handler that lets you know what is going on when. These apps all work WITHIN the security construct of the Android OS. They don't even have to exploit code defects or undermine system permissions for this to work; they ask the user if the app is allowed to record (possibly during phone calls) and if its also allowed to send data (possibly right after a phone call). The user doesn't put two and two together, allows the activity and doesn't give it a second thought.

    Interlude: This isn't a problem just with "ok-mashing lusers" who blindly accept permissions on anything that comes along. You might want an app with the ability to record voice calls (for security, quality assurance, etc.) and you might want that app to also be able to send data to the internet so it can upload the audio, or something similarly useful. What even the smartest of the smart users don't have any visibility over is the actual source code of all of these apps, to make sure that the app is *only* doing what you want it to. Even astute users, who do everything right except for misplacing their trust in the app developer, can fall for this attack.

    Solution: Introduce an event handling feature that can be set up to notify users of possibly malicious activity. If you are paranoid, you will check all the boxes off and be notified when "a third party app is recording while the phone is active", "a third party app is backgrounded and sending data to an internet service and is not on the whitelist", etc. etc. etc. This way you can tell if some random app you didnt even think you were using at the time happened to get ahold of some data you didnt want it to have, and sent it off to a collection server. Is it going to stop the activity? No. Is it going to give the average user who pays attention to their phone but doesn't have the time/wherewithal to do code audits on every app they have installed? YES.

  • Once installed, Soundminder sits in the background and waits for a call to be placed -- hence the access to the 'Phone calls' category....

    Er, perhaps this is why you should not be giving random applications access to your phone calls. There is a reason the android security system prompts you for this stuff.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...