New Android Malware App Turns Phone into Surveillance Device

Mobile malware has largely been limited to Trojans buried inside a malicious app targeting sensitive data stored on the phone such as email, contact information and SMS messages. A new proof-of-concept piece of malicious software, however, expands the scope of mobile malware and essentially turns an Android device into a surveillance tool, bringing a while new range of security and privacy implications into the equation.

PlaceRaiderMobile malware has largely been limited to Trojans buried inside a malicious app targeting sensitive data stored on the phone such as email, contact information and SMS messages. A new proof-of-concept piece of malicious software, however, expands the scope of mobile malware and essentially turns an Android device into a surveillance tool, bringing a while new range of security and privacy implications into the equation.

Researchers from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing introduced PlaceRaider late last week, putting a new spin on burglary and espionage while coining the term visual malware. PlaceRaider exploits innate weaknesses in Android to use the phone’s camera to surreptitiously take photographs, and send that data off to a command and control server where an attacker could build a 3D model of the victim’s environment.

“Remote burglars can thus download the physical space, study the environment carefully and steal virtual objects from the environment such as as financial documents, information on computer monitors and personally identifiable information,” the researchers wrote in a paper published last week.

The attack is relatively low-tech, requiring a user to install a malicious camera application infected with PlaceRaider. Once the data is uploaded to the C&C server, the attacker can use a variety of available open source viewer and modeling software to reconstruct the space in question. This research ups the ante on previous mobile attacks where attackers could remotely turn on a device’s microphone and listen on conversations or monitor the device.

With PlaceRaider, Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia have brought remote capabilities to such visual attacks; past attacks have required the attacker to be within visual range of the target.

“We show how PlaceRaider allows remote hackers to reconstruct rich three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera,” they wrote.

A victim would have to download a malicious camera application to initiate the exploit. PlaceRaider not only collects images, but data from the device’s accelerometer, gyroscope and magnetometer, giving the attacker orientation readings for each piece of data. The app runs in the background on the device and can be configured to take pictures at particular intervals without the user’s knowledge. The researchers are counting on the user to give the application permission to access the camera, write to external storage and connect to the Internet, something most camera apps require, thus are not likely to raise any suspicion.

PlaceRaider also requires root access to change audio settings in order to mute the audible shutter sound cameras emit when photos are snapped. It also disables the photo preview feature on the device, another would-be hint to the user that the phone would be compromised. Again, most users, the researchers said, would disregard any permission warnings and grant the app what it wanted. As for access to sensor data from accelerometer, gyroscope and magnetometer? None are required by Android.

PlaceRaider also weeds out “redundant and uninformative images” before sending data to the C&C server by analyzing sensor data and applying a set of algorithms to determine which images are likely useful to an attacker. The analysis sets a threshold for images, and discards any that fall below in order to lessen the burden on the phone for transmission and power consumption.

Next the researchers used a toolkit known as Bundler that specializes in Structure from Motion (SfM) which is a process of building a 3D model from two-dimensional images, along with Patch-based Multiview Stereo software and a custom plug-in built for the open source MeshLab open source viewer to render the 3D model of the target’s environment.

The paper details a test scenario with 20 users equipped with an HTC Amaze device running Android 2.3.3. in a typical academic setting staged with objects such as personal checks, calendars, barcodes, computer screens and more. The phone was configured to take 1 megapixel photos every two seconds. Once the data was collected, 30 percent of the models scored better than average on a subjective scale established by the researchers, the paper said.

“These results suggest that faithful 3D models of a space can often be generated from opportunistically captured images,” the researchers wrote. “This is a somewhat surprising result because most Structure from Motion approaches were designed for use with deliberately composed images.”

This particular attack could have consequences beyond home burglaries, for example, and could put sensitive business and military installations at risk. The effects of the attack could worsen if future versions if the malware could identify pre-defined objects, for example.

Prevention, however, largely remains on the user especially when it comes to arbitrarily granting permissions that grant the malware access to the camera and audio settings. Android, and iOS, meanwhile require no permissions to access sensors on the phone which are used to reduce the image data transmitted to attacker.

The researchers suggest that the operating system could be adjusted to allow images only when a physical button is pressed, preventing surreptitious capture, the paper said.

Suggested articles

Discussion

  • Chad on

    Most victims will notice immeadiatley that their phone battery is draining REALLY fast.  

  • Anonymous on

    I probably use my phone much differently from most people.  But, in my case, the vast majority of any pictures this malware would consist of pictures of the inside of my pocket.

  • Anonymous on

    This is absolutely crazy. Guess this means people with droids have to be more careful. 

  • Anonymous on

    Unfortunately, I suspect it is already in use but they need a

    little "denialbility" when it's found by your Uncle Joe accidently.

    on his phone. Ooooops...it was just a test...really...trust us.

  • Anonymous on

    This program fails to take into account that once you are aware, you just have to hold your phone with your hand in the way.  Also, most people have their phone stored in a holster or a pocket, and only have one camera on phone.

  • @IUPrivLab on

    Good writeup.

    A couple things.

    - We require no root access as the article claims.

    - Our human subject studies show that you DO get pics of the inside of your pocket, the ceiling, etc....a key contribution ours is reduction of the imageset to pick the good quality images. You'd be surprised how quickly the algorithm can amass enough photos to build google model.

    - Our software doesn't drain the battery very much. We didn't quantify this, but additional battery drain wasn't noticeable.

    - An interesting tidbit... pay attention and look at the large number of people that carry their smartphones on their belts using cases that expose the camera.

    We encourage you to read the paper. :-)

     

  • @IUPrivLab on

    google -> a good quality

  • Voicemail Services on

    its very good information you shared as  am also become the victim of the this as my mobile battary get low very quickly and all my  MOBILE APPS are not working properly...So beaware of that...

     

  • Anonymous on

    The paper is very interesting, but this sumary forgets an important warning:

    "We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone."

    This technique does not seem to be particularly connected to Android.

    Furthermore whenever you start a security paper asserting that "users disregard permission warnings", you are able to produce any kind of security breach!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.