Slashdot Mirror
Soundminder Android Trojan Hears Credit Cards
Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."
It's Linux-based, so naturally it's secure! /sarcasm
Note: I have a Droid Eris running Nonsensikal 15.2...so I'm certainly no Android hater.
Living With a Nerd
It could watch for people dialing the numbers of (eg.) online ticket sellers then just record the conversations. There's bound to be a credit card in there.
No sig today...
When my cards expire my bank mails me a new card, with a phone number to call in order to activate it. The process involves telling the machine what card is being activated.
I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root?
Or can the app simply request permission?
(Disclaimer: I'm root and have cyanogen on my phone.)
The Kai's Semi-Updated Website Thingy
... so you better start making smarter phones and more rigorous guidelines for app store approval. Problem solved.
Three articles in a row casting doubt on Android in one way or the other... really, Rob?
Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.
I suspect they're talking about strings of touch-tone numbers that are dialed during a phone call. If the string is long enough, an application can infer that it's a credit card number.
This happens all the time with over-the-phone payment systems. True, many of these systems are being supplanted by online payment methods, but many niche services (debt collection, carry-out order, etc.) still use smaller automated phone-based systems.
Do people actually still give credit card numbers over the phone?
When I pay my CC I can call up the companies automated phone line to authorise a transfer from a known bank account. In doing so they want me to give them the CC number. So thats another reason you could give your CC number over the phone.
I am Slashdot. Are you Slashdot as well?
This is just one practical application. *Puts on tin foil hat* What about a comparable government system mining for certain terrorism related keywords? I can think of 100's of more dangerous applications to this type of software, and I don’t even have to be the person who has it installed. I find that particularly frightening.
It works on Android. Next question?
Am I eval()? - http://www.monst3r.com.br
There's no reason this can't be done for spoken numbers, either. Android's built-in voice recognition system could easily be used to monitor whether you've just uttered a string of numbers.
Check out my world simulator thingy.
Never had to call the credit card company to dispute a bill? They ask for the credit card #. I also guess you don't use a good reward program. I like my reward program (1% cash - same as all the rest - except they put the cash reward directly into a savings account one month after you pay the bill as opposed to year end.) Because if you have a reward program you like, you tend to use it for everything - even buying pizza on the phone.
excitingthingstodo.blogspot.com
THRICE!
"Waste not one watt!" - CZ
"A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers -- typed or spoken -- and relaying them back to the application's creator. Once installed, Soundminder sits in the background"
How does this 'trojan' get onto the handsets in th first place?
TFS says "typed or spoken", are you guys reading it?
Every time I receive a replacement for an expired credit card I have to phone in to activate it. First thing asked for? Card number.
Are there credit cards that do not require a call to activate?
Eloi are stupid, throw morlocks at them!
Article and summary say "typed or spoken" - so it is not simply looking for a sequence of tones - which broadens the impact significantly even from official over-the-phone payment systems.
Still, the fact that CC companies have to eat fraudulent transactions over $50 means that even if this were in the wild, it probably would not have major impact. CC companies are pretty good at detecting fraud. Debit cards/banks, however, are not held to the same standard - highly recommend never, ever, using a debit card under any circumstances regardless of this kind of exploit.
I do it frequently. Some places I deal with (campgrounds, mostly) do not have online ordering or whatever.
Aren't there still cell-phone scanners? Why would anyone enter a CC number via cell phone if anyone within cell range could be listening in or recording CC info?
- Credit card activation
- Bill payment by credit card or first time set-up of automatic payments
- Checking your credit card balance
- Calling in to dispute a charge
- Calling in to find out why a card has been declined (happens to me often when on vacation due to over sensitive fraud protection)
- Calling in to get a lost or stolen card replaced
- Ordering take-out or delivery
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
So why isn't access to the microphone mutually exclusive? If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time. I can understand having the the OS accessibility routines having concurrent access with an app, but when you are on an actual voice connection, that should probably be exclusive access. Similarly, applications like skype should also be able to request exclusive access to the microphone.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
Article: "People have been known to cut themselves when using these really sharp knives. Maybe they should have additional safety features."
You: "Yeah, but those knives wouldn't even get through the door of the prison I live in. Why doesn't everybody just live in a prison like me?"
----
Not to be confused with Col.
When my cards expire my bank mails me a new card, with a phone number to call in order to activate it. The process involves telling the machine what card is being activated.
I believe I just activated a credit card recently and I think they only ask for a portion of the credit card digits, last four digits or something. And then also maybe the last four digits of my social security number. The credit card company only has so many cards out for activation at any one time, so they don't need all the digits to know which card it is.
There's a 1 in a 100million chance that someone has the same last four digits on their credit card as I do AND the same last four digits of their social as I do. What are the chances that they're also waiting on a replacement credit card as I? If there is a collision in their database, they could just send the first one of us to call to an operator who would ask a few more identifying questions verify which person they're talking to.
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
Perhaps one solution to consider would be the ability to put the device into a state where nothing but the phone is running - i.e. all other apps are just blocked until the call is released. Alternatively, the phone data in / out could be sandboxed from the rest of the OS. This would be a special mode since there are legitimate uses for this (tone dialing, call recording, etc.), but should be available to switch on when needed (or take the reverse approach and have it on by default, switched off when desired).
I'm not sure if the Android API would allow building an app for this, or if something at a lower-level would be required.... Anyway, feel free to implement this and send me the royalty cheques if you can. Just google for my banking info.
----
Not to be confused with Col.
I don't own an Android phone so I may not be the best person to comment but it seems to me they need two Marketplaces, - or at least 2 separate areas. One area would contain apps that have gone through some testing and approval process and another that's just wide open, - all bets are off. Probably wouldn't prevent people from blaming the phone if their CC number gets stolen but at least people would know that there's an identifiable subset of apps that are malware free.
I have had a few that use the caller ID of the phone I'm calling from first. If I call from the home phone the CC company has on file (yeah I still have a landline) it just replied with "your new card is activated".
That $50 limit was extended to debit cards some time ago
"That $50 liability limit also applies to ATM and debit cards, though holders of these cards might be liable for up to $500 if they fail to report the card's disappearance within two business days after they learn of the loss or theft of the card. (Debit and ATM card owners can be held responsible for all losses if they fail to report the theft within 60 days of when a bank statement showing unauthorized charges is mailed.) " -- http://www.scambusters.org/creditcard3.html
They asked me for the full card number, but no social.
Once again being unintelligibly Scottish comes in useful.
First, Apple's vetting procedure is inconsistent at best. I have a flashlight app from the store that doubles as a wifi hotspot.
Second, Android also has a remote shut down capability for apps.
The thing about a sharp knife, it looks like a sharp knife...
The thing about a trojan running on a phone, it looks like whatever the app maker wants it to look like, probably fluffy and cute and not at all like something that's going to hurt.
--
Possessed - my first Facebook game. Come play!
Or maybe every Tom, Dick and Harry want-to-be hacker already knew about this (it's hardly a great leap from a voice recognition-enabled phone to scanning calls for important information) and these guys have brought it to the public's attention by publishing this.
Only a threat if you are dumb enough to install it in the first place. Dumb users == owned equipment. That's always been the case. No technology is going to fix stupid behavior. This is why antivirus is useless. If antivirus is detecting things, then IT'S ALREADY TOO LATE! We want to PREVENT the infection, and proper hygiene and common sense in synergy with proper technological controls is the only way that is going to happen.
The CC companies don't have to eat this. They take the money back from the merchant who accepted this fraudulent charge. I know this from the Taxi company I worked for (stolen card was used), and the current mail-order company I work for.
There are more choices than the two extremes of rigid control or the wild west. Both Apple and Google could have an optional approval process which would certify that an app is safe for use on your phone. Maybe there would be some cost to the developer. Other apps could be submitted without certification. The marketplace or store would have to clearly identify which apps have been certified and which haven't. A user should be warned if they're downloading an app that hasn't been certified and given the option to permanently turn that warning off if they choose. I much prefer that model than having to install some virus checker on my phone which takes up resources, costs money, has to be kept up to date and may misidentify a critical OS file as a virus and inadvertantly brick the phone.
Debit cards/banks, however, are not held to the same standard
Correct, most are capped at $0 liability.
You are aware that Android has a kill switch too, right?
i'm mildly surprised this is modded up here. not the 2.2 push, that probably should go out, it's in the nature of open source to require such upgrades for security reasons, it's already a known procedure on linux desktops/servers.
what I am surprised it is I'm seeing a modded up post on Slashdot booing open platforms and making positive light of one of IT's most closed source systems.
would you prefer it locked down and not open source, would that make the droid a better phone to you? what is your desktop/server OS preference and would it be considered in the same light?
not trying to flame in any way, but my personal preference is open, as soon as I heard of the droid I knew someone would make something, you can say that about any linux install as well.
Regardless the phone you are using, you must assume that someone can be listening to your phone conversation. On a home wireless phone, all it takes is a scanner from radio shack. On your cell, it requires slightly more sophisticated hardware, but can be done. Heck, Apple has a patent out for the iPhone built-in listening techniques.
My advice? If you use a credit card, make sure it has consumer fraud protection. And NEVER under any circumstances use a bank card over the phone. Yes bank cards usually have fraud protection, but any disputes will tie up your funds for longer than you think. Better to tie up your credit during a dispute, than your bank account.
Yes. My last 3 were online activation.
I went to the website printed on the card, entered the last 4 digits and followed the prompts. No phone call required.
Plus the BS of "you must call from our home phone" is a crock. I do it from random phones and it works fine.
Do not look at laser with remaining good eye.
Do you pay 100% of your balance every month BEFORE the grace period? if not then your 1% cash back is worthless.
IT's dumb to pay 18% interest on something so you can get 1% back.
Do not look at laser with remaining good eye.
Knives, trojans, and hacking...reminds me of my college days when I stuck a phone ringer in my roommates iron. Every time he was ironing his shirts I would remotely activate the ringer. He ended up burning both of his ears before he realized what was going on.
Your credit card company has your phone number on file, if you call from that number they generally won't ask for the credit card number or the full number, if you call from a different phone then they will ask for more info. That's why the little stickers say to call from your "home phone" or did in the past few years.
Not all life is cyber. Extra Income
Who's to say this software couldn't be easily adapted to pick up on credit card numbers that are spoken out loud in any location. A hidden wireless microphone could be placed at a target location and monitored for weeks if necessary just waiting to pick up on those digits. Why not add a plug-in for dates-of-birth, drivers license numbers, and other personal identifying info? For identity theives such passive monitoring software could reap in millions from unsuspecting victims with little effort at all.
Possible applications for law enforcement - program it to pick up on conversations only about drugs or money laundering rather than waste countless man-hours listening to every call some mobster makes to his grandmother or ordering pizza.
To be honest, I'm pretty sure Google can pull trojans off its Market. The victim would have to be stupid enough to (a) download an app from an untrusted source, and (b) click through the "This app has access to this stuff" warning without reading it.
In other words, it's not much more different than PCs.
"We are Microsoft. You shall be assimilated. Competition is futile."
Actually a sharp knife is a safe knife, most knife injuries are from having a dull knife slip.
...Android is vulnerable because it's open source, or so sayth the idiot CEO of Trend Micro...
Not to worry, I gave your credit card number over the phone just last week!
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
different than a Mac/PC keylogger how?
While people are somewhat open to the idea of their computer getting a virus they don't expect their phones to be tapped by thieves. Its a legacy of the analog world, many consider voice to be more secure than submitting a web-based form.
That's not how they avoided collision. Banks have fully integrated CID data into their AVR systems for a long time now. You called in with the phone registered to that account, they immediately knew the card number that was up for activation but had you confirm it regardless. Likewise, for a bit more security they had you confirm part of your SSN. This is all well and good, until the registered number associated with your account is a cellphone with compromised software that can relay a call from an attacker, an attacker who happens to have already picked off your SSN via other communications, and is now sitting on a fully activated, high-limit card with your name on it.
Fanboi much?
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Never. I agree. Apple has enough employees and technology to thoroughly check apps it allows into the app store.
And wouldn't it be cool if Google had built in an app kill switch like Apple did?
You are hereby reminded not to get an Android phone if you lack the ability to do simple web searches.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
In the team's research paper (PDF), they suggest a defence mechanism against Soundminer: an intermediary layer that analyses input from the microphone before passing it to an application, able to detect credit card numbers and prevent their transmission to Soundminer-like Trojans.
This is possible, but why not take it one step farther (and simpler) and just make an event handler that lets you know what is going on when. These apps all work WITHIN the security construct of the Android OS. They don't even have to exploit code defects or undermine system permissions for this to work; they ask the user if the app is allowed to record (possibly during phone calls) and if its also allowed to send data (possibly right after a phone call). The user doesn't put two and two together, allows the activity and doesn't give it a second thought.
Interlude: This isn't a problem just with "ok-mashing lusers" who blindly accept permissions on anything that comes along. You might want an app with the ability to record voice calls (for security, quality assurance, etc.) and you might want that app to also be able to send data to the internet so it can upload the audio, or something similarly useful. What even the smartest of the smart users don't have any visibility over is the actual source code of all of these apps, to make sure that the app is *only* doing what you want it to. Even astute users, who do everything right except for misplacing their trust in the app developer, can fall for this attack.
Solution: Introduce an event handling feature that can be set up to notify users of possibly malicious activity. If you are paranoid, you will check all the boxes off and be notified when "a third party app is recording while the phone is active", "a third party app is backgrounded and sending data to an internet service and is not on the whitelist", etc. etc. etc. This way you can tell if some random app you didnt even think you were using at the time happened to get ahold of some data you didnt want it to have, and sent it off to a collection server. Is it going to stop the activity? No. Is it going to give the average user who pays attention to their phone but doesn't have the time/wherewithal to do code audits on every app they have installed? YES.
Not only that but they charge the merchant fees for doing so. The credit card companies certainly aren't losing any money due to fraud.
I'm pretty sure everyone likely to read your post already knew that. I have my credit card set up to be paid by direct debit automatically, so 14 days after the end of the billing period (i.e. before they would start charging interest) they take the money. Because it's Direct Debit, it's covered by the Direct Debit guarantee, so my bank can reverse it for me easily. They send me an email each month to remind me to check the bill online (they don't send paper ones).
In effect, I have something that functions like a debit card, but for which I get 1% back and between 14 and 45 days of interest-free loan on every purchase. Since I have an offset mortgage, the money on every purchase I make on my credit card sits in my current account for 14-45 days after I've spent it, reducing the interest that I pay on my mortgage (this saves less than the price of a pint of beer each month, but it's still nice to have for no effort).
I am TheRaven on Soylent News
Yes, yes I do. It is my grownup way of sticking it to the man. Also I would pay now where near 18% on any CC I hold.
Oops, I meant to type "Who said 'is secure'" not "Who said 'more secure'". I accidentally repeated the parent's phrase. Ie., no one said analog is secure. Just that the physical effort of an analog tap makes it more secure than the automation of a digital tap.
In order to be PCI compliant, the store I work at no longer takes CC#'s via email. If you don't want to or can't use our ecommerce site, your only option is to call in with the CC#.
"If sorry were enough, we wouldn't need seppuku"
The Apple review process is closed, but I'm fairly sure they don't examine machine code to determine exactly what each line of code does. Even if they looked at source, obfuscated code can hide a payload. Delivery of data to a third party is easier to detect, but if you use some stegonography to conceal illegitimate data with legitimate data then it'd take some very close analysis to detect it.
Once installed, Soundminder sits in the background and waits for a call to be placed -- hence the access to the 'Phone calls' category....
Er, perhaps this is why you should not be giving random applications access to your phone calls. There is a reason the android security system prompts you for this stuff.
Yes, but another reason to use a CC in this case is that if a thief makes a $500 purchase with your stolen debit card number that money is gone immediately and you have to wait for the bank to give it back to you (good luck with that, that would take a week at the least).
With a credit card, you haven't actually paid anything until the bill comes, and thus aren't out $500 randomly for a week because of some thief.
Reminds me of Happy99. That was the first I remember running into a working program that did what it said it would do that was also a virus (well, we didn't call them viruses at the time, but they do now). Well, aside from keygens and such that people were already wary of.
Learn to love Alaska
That an app store can't catch every malicious app before approval doesn't mean it isn't useful to catch most.
And the Android kill switch is only for apps downloaded off Google's own marketplace. Android fans here often praise the openness of being able to install apps from anywhere. But that also means that security wise, they're fucked.