We often blame users for failing to deny permissions required by malicious applications on Facebook or various mobile platforms, but the truth is that the list of permissions is not necessarily an indication of the malicious intent – especially in this day and age when new malware is popping up daily and often uses previously unthought of approaches.
To prove this point, a number of researchers from the City University of Hong Kong and Indiana University have developed a Trojan for the Android mobile OS that requires very few and seemingly innocuous permissions, which it uses to extract credit card and PIN numbers from phone conversations and send them to a remote server via another Trojan.
The first Trojan is called Soundminer. It tracks phone calls and has the ability to recognize when credit card and PIN numbers are conveyed via phone conversations. It records only that part of the conversation and sends it to the server by using the Deliverer Trojan.
Also, the numbers don’t have to be spoken for Soundminer to extract them – they can be entered via the numeric keyboard. The tone every key produces while pressed is recorded by the microphone and “translated” into numbers, and again sent to the server.
The researchers have intentionally developed two separate Trojans for this proof-of-concept attack, since the intent was to make it undetectable both by users and by antivirus software.
The permissions needed by Soundminer and Deliverer are not unlike permissions asked by many other applications, but combined in one single list might raise the users’ (and seller’s) suspicion. Therefore, Soundminer only asks permission to record audio and Deliverer to have full Internet access.
Communication between the two malicious applications and the transfer of the data is also low-key. The researchers took in consideration that the transmission options for the extracted information might be limited and prevented by Android, so they explored and used various covert channels to do it.
They proved that the alteration of vibration and volume settings, screen states and other modifications that can be executed by applications can be used to stealthily exchange information between two applications. This exchange, the recording by Soundminer and the uploading by Deliverer were not detected by two antivirus solutions as malicious actions and the applications as malware.
“We note that even though we use credit card numbers as a proof of concept, the same technique can be applied to target other valuable information such as shorter PIN numbers, social security numbers (the last four digits are often requested as part of authentication), passphrases such as mother’s maiden name, and so on,” wrote the researchers.