Calling it a paradigm shift, university researchers were able to trigger mobile-device malware using a modest amount of music, lighting, magnetic fields or sound vibrations.
“When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the Internet as vulnerable to malware attacks,” said Ragib Hasan, an assistant professor of computer and information sciences and director of a computing lab at University of Alabama at Birmingham.
“We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that,” the professor said in a prepared statement.
The study is believed to be one of the first focused on environmental sensor-based covert channels targeting mobile malware. Presenting their findings at a conference earlier this month, the researchers explained how sensors in ubiquitous mobile devices have opened the door to a new generation of mobile malware that unsuspecting users unwittingly downloaded onto their devices.
In one instance, the researchers used music in a crowded hallway to launch an attack on an off-the-shelf Android phone. In others, the malicious code was activated by a song with a particular pattern or the ambient light from a TV, computer monitor or overhead light bulb. In another experiment, the team, which included a researcher from the Polytechnic Institute of New York University, used magnetic signaling so the malware triggered when someone with a magnetometer on their smartphone walked within a range of influence. Still another used the high bass sound of TV and radio programs and subwoofer vibrations to impact nearby devices embedded with accelerometers.
In most cases, the user had to be within a few feet of the trigger to work, and some remained susceptible even when the device was stowed.
“We showed that these sensory channels can be used to send short messages that may eventually be used to trigger a mass-signal attack,” said UAB assistant professor Nitesh Saxena, director of a research group, in the news release. “While traditional networking communication used to send such triggers can be detected relatively easily, there does not seem to be a good way to detect such covert channels currently.”
Cell phones and wireless networks have been associated with mobile-malware attacks, but tools also have been developed to more easily monitor these channels. Out-of-band command and control communications are at present harder to detect and especially to prevent.
“The detection of out-of-band signals is complicated by the fact that the out-of-band trigger signal format can be free form. Traditional botnet command and control messages, on the other hand, travel over centralized networks obeying established protocols such as UDP or TCP/IP. However, the out-of-band covert channels can use arbitrary protocols to send the control and command messages. This makes the detection of such communication quite difficult in practice.”
Sensor-based channels also do not need to know the IP addresses of infected devices to commandeer a mobile botnet, according to the paper. In some instances the attacks used very little bandwidth, as little as five bits per second.