Researchers have developed a proof-of-concept Android program that can literally keep an ear out for credit card numbers.
Dubbed Soundminer, the software uses the phonea4a4s microphone to listen for credit card numbers spoken aloud, or typed into the phone, Forbes reports. It was developed by six researchers at Indiana University and the City University of Hong Kong, who plan to demonstrate it next month at a security symposium in San Diego.
The team set out to show how even a smart user &8212' one who doesna4a4t give unknown programs access to their keyboard or web browsing &8212' can be tricked. If a strange application asks for access to their phonea4a4s microphone instead, they may be less inclined to think it could steal their data. As they speak or type credit card numbers, Soundminer then records their information.
The software also doesna4a4t require access to a network connection to transmit data. It instead relies on a sneaky a4Acovert channela4 &8212' one that allows apps to send small bits of data to other apps &8212' to forward the stolen information to an app called Deliverer, which in turn sends the data to a hacker. According to the researchers, the Deliver app could be installed automatically upon Soundminera4a4s installation.
a4AThe covert channels that the researchers identify include the phonea4a4s vibration, volume, and screen wake-up settings, all of which are shared with other applications when theya4a4re changed,a4 writes Forbes&' Andy Greenberg. a4ABy tweaking those settings in a certain pattern, Soundminer sends a simple secret code to Deliverer, which in turn passes it on to the hacker. And because Soundminer extracts the credit card number from the audio track rather than transmit the entire file, it only has to share 16 digits with Deliverer, easily small enough for its subtle communications to the other malicious app.a4
Being the product of researchers, and not malicious hackers, Soundminera4a4s real purpose is to expose the security flaw in Android. In their paper on Soundminer (PDF link), the researchers propose that users can disable audio feedback noises, and Google could implement better app permissions, to plug the security exploit.
Check out a video of Soundminer in action below:
Next Story: RightNow acquires Q-go to improve customer service with natural language search Previous Story: Vudu HD streaming video lands on Boxee Box, Netflix coming soon
Print Email Twitter Facebook Google Buzz LinkedIn Digg StumbleUpon Reddit Delicious Google More&8230'
Companies: Google
Companies: Google
Devindra Hardawar is VentureBeat's lead mobile writer and East Coast correspondent. He studied philosophy at Amherst College, worked in IT support for several years, and has been writing about technology since 2004. He now lives in Brooklyn, New York. You can reach him at devindra@venturebeat.com (all story pitches should also be sent to tips@venturebeat.com), and on Twitter at @Devindra.
VentureBeat has new weekly email newsletters. Stay on top of the news, and don't miss a beat.
Discuss Add this link to... Bury
Comments