October 2, 2012
Military Researchers Warn Of Malware Disguised As Mobile Camera App
redOrbit Staff & Wire Reports - Your Universe Online
Researchers at the U.S. Naval Surface Warfare Center and Indiana University have created an Android app that can secretly record a user´s environment and reconstruct it as a 3D virtual map, potentially giving spies, criminals and malicious browsers the ability to steal personal data and other physical information that could help them prepare for theft.
What makes the mobile app, dubbed PlaceRaider, particularly troubling is that it can disguise itself as an ordinary camera app for Android phones, the researchers said.
Smartphones carry a number of sensors capable of monitoring their environments in great detail, and come with powerful data processors and the ability to quickly transmit and receive data. While these features offer a number of benefits, they also provide a powerful target for hackers, allowing them to use malicious code to steal financial and other personal data.
For instance, the malware could be used to listen for spoken credit card numbers, or to use a smartphone´s accelerometers to gather credit card details entered as keystrokes.
Robert Templeman, an engineer at the Naval Surface Warfare Center in Crane, Indiana, and colleagues at Indiana University in Bloomington built PlaceRaider to run in the background of any smartphone using Android 2.3 operating system. Their idea was to create visual malware embedded in a camera app that the user would download and run, a process that would give the malicious code the necessary consent to snap and send photos.
So they created PlaceRaider, which runs in the background taking photos at random while recording the time, location and orientation of the smartphone. The app mutes the phone as the photos are taken to conceal the shutter sound, which would otherwise tip off the user. The malware then performs simple image filtering to eliminate any blurred or dark images, such as those taken inside a pocket. The remaining images are sent to a central server, where they are used to recreate a 3D model of the user's space with the aid of additional details such as the orientation and location of the camera.
Such images could then be browsed by criminals for objects worth stealing, such as credit card details, identity-related data or calendar events that could reveal when a user might be away, the researchers said.
Templeman and colleagues conducted detailed tests of the app to see how well it worked in real-life settings. They gave their infected smartphone to 20 participants who were unaware of the malware, and asked them to use it for traditional purposes in an office environment.
The resulting photos were evaluated by asking a separate group of users how much information they could gather from the images. Some of the users studied raw images, while others examined the 3D models. Both subgroups searched for basic information, such as the number of walls in the room, as well as more intricate details such as whether or not any personal checks were in view.
The researchers said they were able to create detailed models of the room from all the data sets. Furthermore, the 3D models made it much easier for malicious users to steal data from the personal office space, compared with data obtained only from the raw photos.
Although the current study analyzed the malware only on Android phones, it could likely be adapted for other platforms as well.
"We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone," the researchers wrote in a report about their work.
The research is a demonstration of another potential susceptibility of smartphones. While previous malware demonstrations have shown how to hijack smartphone microphones to "hear" sensitive discussions, or how to use a smartphone's accelerometer to “feel” keyboard vibrations to infer keystrokes, PlaceRaider's ability to reconstruct an accurate 3D model of the physical environment could make the devices an even greater vulnerability than previously believed.
“As smartphones become more pervasive, they are increasingly targeted by malware. At the same time, each new generation of smartphone features increasingly powerful onboard sensor suites,” the researchers said.
Templeman speculated on ways that mobile operating systems could be made more secure, such as ensuring that the shutter sound could not be silenced, so that a user is always aware when the camera is taking a picture. However, that still wouldn't prevent the silent use of video to record data. Another potential solution might involve some type of antivirus app for smartphones, which would actively seek out potential malware and alert the user, the researchers said.
Templeman and colleagues describe their work in a September 26 report entitled: “PlaceRaider: Virtual Theft in Physical Spaces with Smartphones.”