The rise of mobile malware in the last few years has been well documented, and the latest reports show that malware sending out text messages to premium rate numbers is the type users encounter most often.
This prevalence will likely not be challenged for a while – after all, there are not many crooks who would say no to a fast and easy buck – but users must be aware that new malicious software with as of yet unimaginable capabilities will surface in time.
One of these malicious programs has recently been unearthed, but luckily for all of us the Trojan posing as a camera app is currently only a prototype created by a team of researchers from the Naval Surface Warfare Center in Indiana and the Indiana University.
The name of the malware in question is PlaceRaider, and its goal is to surreptitiously take photos with Android smartphones’ built-in camera in order for attackers to be able to recreate a 3D model of the user’s indoor environment and steal all kinds of information (click on the screenshot to enlarge it):
“Once the visual data has been transferred and reconstructed into a 3D model, the remote attacker can surveil the target’s private home or work space, and engage in virtual theft by exploring, viewing, and stealing the contents of visible objects including sensitive documents, personal photographs, and computer monitors,” the researchers explained in a recently released paper.
They tested their Trojan on 20 individuals by giving them infected devices. As they went through their day, the malware would take hundreds of photos (along with orientation and acceleration sensor data) and, after filtering out the uninformative ones, would send the remaining ones to the researchers’ remote server.
The victims were oblivious to the Trojan’s activities, as the malware is designed to mute the sound of the camera’s shutter.
With the images in hand, the researchers then used a computer vision algorithm to generate a rich 3D model, which can be inspected very closely for valuable information.
The PoC Trojan has been designed for the Android platform, and the scary part is that the permissions it asks – to access the camera, to write to external storage, to connect to the network, to change audio settings – can easily be seen as legitimate when the malware is packaged within an attractive camera app.
The researchers have proved that it is highly likely that successful “visual” Trojans such as this one will eventually find their way into the wild, so in order to prevent users from becoming targets they advise them to get apps only from trusted software developers.
Among other things, hardware manufacturers are advised to implement a shutter sound that can’t be muted, and possibly even to make the taking of photos possible only when a physical button is pressed; and Google and Apple (developers of Android and iOS) are urged to make apps also ask permission to collect acceleration and gyroscope data.