Slashdot Mirror
Soundminder Android Trojan Hears Credit Cards
Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."
...didn't see THAT coming.
It's Linux-based, so naturally it's secure! /sarcasm
Note: I have a Droid Eris running Nonsensikal 15.2...so I'm certainly no Android hater.
Living With a Nerd
Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.
It could watch for people dialing the numbers of (eg.) online ticket sellers then just record the conversations. There's bound to be a credit card in there.
No sig today...
...
I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root?
Or can the app simply request permission?
(Disclaimer: I'm root and have cyanogen on my phone.)
The Kai's Semi-Updated Website Thingy
But once we stop the Joker, you have to destroy this app or I, Morgan Freeman, will not be in the next movie.
"Waste not one watt!" - CZ
... so you better start making smarter phones and more rigorous guidelines for app store approval. Problem solved.
Three articles in a row casting doubt on Android in one way or the other... really, Rob?
Not just phone calls. I thought it was sitting in the background, voice activated, listening for strings of numbers. But I imagine that would consume too much power.
This is just one practical application. *Puts on tin foil hat* What about a comparable government system mining for certain terrorism related keywords? I can think of 100's of more dangerous applications to this type of software, and I don’t even have to be the person who has it installed. I find that particularly frightening.
THRICE!
"Waste not one watt!" - CZ
"A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers -- typed or spoken -- and relaying them back to the application's creator. Once installed, Soundminder sits in the background"
How does this 'trojan' get onto the handsets in th first place?
...App Store starting to look a little better?
Of course, when the latest Android 2.2 phone OS gets pushed to the phones, everything will be better.
Oh, right. The PhoneCos are refusing to push that upgrade .
Guaranteed! This comment 100% Anthrax free!
So now every Tom, Dick and Harry want-to-be hacker has got this new great idea of another way of making life difficult for everyone one else. Thanks for publishing it.
But... this type of hack will never get into the wild on the iPhone.... ..or, if it was ever missed by their app vetting procedure, Apple could remotely shut it down anyhow.
Remind me not to get an Android phone, if this is the type of stuff hackers are going to be distributing soon.
--
Possessed - my first Facebook game. Come play!.
Aren't there still cell-phone scanners? Why would anyone enter a CC number via cell phone if anyone within cell range could be listening in or recording CC info?
So why isn't access to the microphone mutually exclusive? If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time. I can understand having the the OS accessibility routines having concurrent access with an app, but when you are on an actual voice connection, that should probably be exclusive access. Similarly, applications like skype should also be able to request exclusive access to the microphone.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
Article: "People have been known to cut themselves when using these really sharp knives. Maybe they should have additional safety features."
You: "Yeah, but those knives wouldn't even get through the door of the prison I live in. Why doesn't everybody just live in a prison like me?"
----
Not to be confused with Col.
Perhaps one solution to consider would be the ability to put the device into a state where nothing but the phone is running - i.e. all other apps are just blocked until the call is released. Alternatively, the phone data in / out could be sandboxed from the rest of the OS. This would be a special mode since there are legitimate uses for this (tone dialing, call recording, etc.), but should be available to switch on when needed (or take the reverse approach and have it on by default, switched off when desired).
I'm not sure if the Android API would allow building an app for this, or if something at a lower-level would be required.... Anyway, feel free to implement this and send me the royalty cheques if you can. Just google for my banking info.
----
Not to be confused with Col.
I don't own an Android phone so I may not be the best person to comment but it seems to me they need two Marketplaces, - or at least 2 separate areas. One area would contain apps that have gone through some testing and approval process and another that's just wide open, - all bets are off. Probably wouldn't prevent people from blaming the phone if their CC number gets stolen but at least people would know that there's an identifiable subset of apps that are malware free.
Complain about Android's "open" ethos all you want, but at least responsible users can install what they want rather than what their phone provider tells them they're allowed. There are up- and downsides to both the open and closed approaches. Open is less secure but allows greater freedom, closed is more secure at the cost of freedom. There's no right or wrong, there's only right or wrong for you - for me, I've lived for 15 years with Windows and never had an issue with malware because I exercise responsibility. I intend to use my phone the same way and don't envisage any issues. If this was some kind of rampant worm that could spread and replicate without my agreement then I'd agree. If it's an attack vector that only works on people who don't exercise caution over what they're installing then I totally agree those people would be better off with Apple's protection. That's not an inherent flaw with either OS, it's an inherent flaw with people.
Still, if you're not the kind of person who can't use a computer responsibly without installing malware, then consider yourself reminded not to get an Android phone :) I'd also recomment turning off your PC before you click on an ad for free screensavers or respond to that email from the nice Nigerian prince.
Once again being unintelligibly Scottish comes in useful.
First, Apple's vetting procedure is inconsistent at best. I have a flashlight app from the store that doubles as a wifi hotspot.
Second, Android also has a remote shut down capability for apps.
The thing about a sharp knife, it looks like a sharp knife...
The thing about a trojan running on a phone, it looks like whatever the app maker wants it to look like, probably fluffy and cute and not at all like something that's going to hurt.
--
Possessed - my first Facebook game. Come play!
When I first read this I thought that headphone jack credit card readers, like Square, had been compromised. Is that possible?
Only a threat if you are dumb enough to install it in the first place. Dumb users == owned equipment. That's always been the case. No technology is going to fix stupid behavior. This is why antivirus is useless. If antivirus is detecting things, then IT'S ALREADY TOO LATE! We want to PREVENT the infection, and proper hygiene and common sense in synergy with proper technological controls is the only way that is going to happen.
I think that everyone that knows about the app should download it and start feeding the 'owner' strings of bogus numbers. Let them wade through a few million numbers for a real hit.
There are more choices than the two extremes of rigid control or the wild west. Both Apple and Google could have an optional approval process which would certify that an app is safe for use on your phone. Maybe there would be some cost to the developer. Other apps could be submitted without certification. The marketplace or store would have to clearly identify which apps have been certified and which haven't. A user should be warned if they're downloading an app that hasn't been certified and given the option to permanently turn that warning off if they choose. I much prefer that model than having to install some virus checker on my phone which takes up resources, costs money, has to be kept up to date and may misidentify a critical OS file as a virus and inadvertantly brick the phone.
You are aware that Android has a kill switch too, right?
From the article:
Soundminer takes a novel approach to these restrictions, by only requesting access to 'Phone calls,' to read phone state and identity, 'Your personal information,' to read contact data, and 'Hardware controls' to record audio - none of which will ring alarm bells if the app is marketed as a voice recording tool.
So, it is using way more than just "Phone calls", and by no means is this "novel"
If you downloaded a "voice recording tool" with this permission list your deserved to get robbed blind.
All smartphone owners (iPhone included, Apple wont protect you from everything) need to start being way more paranoid about their phones. It is your wallet, it is your email, it is your life.
Regardless the phone you are using, you must assume that someone can be listening to your phone conversation. On a home wireless phone, all it takes is a scanner from radio shack. On your cell, it requires slightly more sophisticated hardware, but can be done. Heck, Apple has a patent out for the iPhone built-in listening techniques.
My advice? If you use a credit card, make sure it has consumer fraud protection. And NEVER under any circumstances use a bank card over the phone. Yes bank cards usually have fraud protection, but any disputes will tie up your funds for longer than you think. Better to tie up your credit during a dispute, than your bank account.
So if people started giving away things on the street you'd just take a bunch of it? And if it had a dangerous object-- sharp stone, badly processed food, whatever-- inside, you'd willingly admit yourself so some sort of institution to protect yourself from bad street peddlers?
The problem isn't with the system. The problem is that people want to be able to trust the random guy on the internet freely giving them "OMG ELF DANCE PENGUIN BASEBALL.SWF.EXE" since it's the best thing ever.
Of course, the root cause is that people are bastards and try to fool people to begin with. But as a population we should be pretty aware that there is (unfortunately) no such thing as a free lunch.
Knives, trojans, and hacking...reminds me of my college days when I stuck a phone ringer in my roommates iron. Every time he was ironing his shirts I would remotely activate the ringer. He ended up burning both of his ears before he realized what was going on.
Who's to say this software couldn't be easily adapted to pick up on credit card numbers that are spoken out loud in any location. A hidden wireless microphone could be placed at a target location and monitored for weeks if necessary just waiting to pick up on those digits. Why not add a plug-in for dates-of-birth, drivers license numbers, and other personal identifying info? For identity theives such passive monitoring software could reap in millions from unsuspecting victims with little effort at all.
Possible applications for law enforcement - program it to pick up on conversations only about drugs or money laundering rather than waste countless man-hours listening to every call some mobster makes to his grandmother or ordering pizza.
Actually a sharp knife is a safe knife, most knife injuries are from having a dull knife slip.
...Android is vulnerable because it's open source, or so sayth the idiot CEO of Trend Micro...
different than a Mac/PC keylogger how?
While people are somewhat open to the idea of their computer getting a virus they don't expect their phones to be tapped by thieves. Its a legacy of the analog world, many consider voice to be more secure than submitting a web-based form.
Never. I agree. Apple has enough employees and technology to thoroughly check apps it allows into the app store.
And wouldn't it be cool if Google had built in an app kill switch like Apple did?
You are hereby reminded not to get an Android phone if you lack the ability to do simple web searches.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
In the team's research paper (PDF), they suggest a defence mechanism against Soundminer: an intermediary layer that analyses input from the microphone before passing it to an application, able to detect credit card numbers and prevent their transmission to Soundminer-like Trojans.
This is possible, but why not take it one step farther (and simpler) and just make an event handler that lets you know what is going on when. These apps all work WITHIN the security construct of the Android OS. They don't even have to exploit code defects or undermine system permissions for this to work; they ask the user if the app is allowed to record (possibly during phone calls) and if its also allowed to send data (possibly right after a phone call). The user doesn't put two and two together, allows the activity and doesn't give it a second thought.
Interlude: This isn't a problem just with "ok-mashing lusers" who blindly accept permissions on anything that comes along. You might want an app with the ability to record voice calls (for security, quality assurance, etc.) and you might want that app to also be able to send data to the internet so it can upload the audio, or something similarly useful. What even the smartest of the smart users don't have any visibility over is the actual source code of all of these apps, to make sure that the app is *only* doing what you want it to. Even astute users, who do everything right except for misplacing their trust in the app developer, can fall for this attack.
Solution: Introduce an event handling feature that can be set up to notify users of possibly malicious activity. If you are paranoid, you will check all the boxes off and be notified when "a third party app is recording while the phone is active", "a third party app is backgrounded and sending data to an internet service and is not on the whitelist", etc. etc. etc. This way you can tell if some random app you didnt even think you were using at the time happened to get ahold of some data you didnt want it to have, and sent it off to a collection server. Is it going to stop the activity? No. Is it going to give the average user who pays attention to their phone but doesn't have the time/wherewithal to do code audits on every app they have installed? YES.
If it works as well as voice dialing one of my contacts on my droid phone... no worries, they will end up with a string of random gibberish instead of a real number.
If antivirus is detecting things, then IT'S ALREADY TOO LATE!
So you'd rather just let it go, silently listening to your system for years, instead of knowing that it's there?
Not to mention being able to scan downloads before you run an install? Wouldn't that be considered prevention?
If you think that only irresponsible or dumb users can get malware or viruses, then you're probably nothing more than a low-level dumbass IT guy that thinks he's a god because he knows how to install Windows and tweak the registry
Reduction in talk time means more excuses to miss calls. Where do I sign up?
Oops, I meant to type "Who said 'is secure'" not "Who said 'more secure'". I accidentally repeated the parent's phrase. Ie., no one said analog is secure. Just that the physical effort of an analog tap makes it more secure than the automation of a digital tap.
GP: People should be allowed to live in a prison if they want.
You: Nobody should be allowed to live in a prison even if they want to.
Who loves freedom now bitch?
Your throat is linux based so your voice is entirely secure, and can't be captured by this software?
Once installed, Soundminder sits in the background and waits for a call to be placed -- hence the access to the 'Phone calls' category....
Er, perhaps this is why you should not be giving random applications access to your phone calls. There is a reason the android security system prompts you for this stuff.
Reminds me of Happy99. That was the first I remember running into a working program that did what it said it would do that was also a virus (well, we didn't call them viruses at the time, but they do now). Well, aside from keygens and such that people were already wary of.
Learn to love Alaska
That an app store can't catch every malicious app before approval doesn't mean it isn't useful to catch most.
And the Android kill switch is only for apps downloaded off Google's own marketplace. Android fans here often praise the openness of being able to install apps from anywhere. But that also means that security wise, they're fucked.
Ignoring the fact that this is a completely impractical exploit (speakerphone must be on for keypad to be recognized; apps can't intercept what's the other person is saying or what number was dialed, so it would have to listen to *ALL* convos for just that one call to a bank, voice recognizing on-device will drain the battery like a bitch, and uploading it to a server would run up your bill like mad / drain your battery like a bitch / far too slow, and most importantly, if someone found this out it would be kicked out of the market / probably pulled from devices)
Also, what's to stop this from occurring on any other platform? All the behaviours look like normal regular API calls (accessing internet, microphone, etc), so an API access review wouldn't help much / at all any other platform either.
At least if you were paranoid about security, on Android, you can see which apps have what permissions and if you either:
- not install them to begin with
- use a task killer and automate the shutdown of said tasks with microphone control
With any other platform, how do you even know your mic is being used at all?
Where one's comment can go from "Interesting" and "Insightful" to "Troll" in less than a day.
Even more interesting when all one writes is the truth.
Man, and I thought Randroids with mod points were dicks. Smelly Linux Hippies are just as bad. (insert smiley emoticon here indicating snark. if I used emoticons. which I don't.)
"Comment Moderation
sent by Slashdot Message System on Thursday January 20, @07:05PM
The iPhone and its "Walled Garden"..., posted to Soundminder Android Trojan Hears Credit Cards, has been moderated Interesting (+1).
It is currently scored Normal (2).
The iPhone and its "Walled Garden"..., posted to Soundminder Android Trojan Hears Credit Cards, has been moderated Insightful (+1).
It is currently scored Interesting (3).
The iPhone and its "Walled Garden"..., posted to Soundminder Android Trojan Hears Credit Cards, has been moderated Troll (-1).
It is currently scored Interesting (2).
The iPhone and its "Walled Garden"..., posted to Soundminder Android Trojan Hears Credit Cards, has been moderated Troll (-1).
It is currently scored Troll (1).
The iPhone and its "Walled Garden"..., posted to Soundminder Android Trojan Hears Credit Cards, has been moderated Troll (-1).
It is currently scored Troll (0). "
So, what part of the fact that the Phone Companies refuse to push the latest Android update because they're too sodding cheap to pay the modest fee per user is "Trolling"?
More "Flamebait" actually. That's how I would mod it, and I WROTE it.
Guaranteed! This comment 100% Anthrax free!