A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers - typed or spoken - and relaying them back to the application's creator.
The team, comprised of Roman Schlegel from the City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and Xiao Feng Wang from the Indiana University Bloomington, call their creation 'Soundminer' - and its implications are far-reaching.
Software released for Android devices has to request permissions for each system function it accesses - with apps commonly requesting access to the network, phone call functionality, internal and external storage devices, and miscellaneous hardware functions such as the backlight, LED, or microphone. These requests are grouped into categories and presented to the user at the point of installation - helping to minimise the chance of a Trojan slipping by.
Soundminer takes a novel approach to these restrictions, by only requesting access to 'Phone calls,' to read phone state and identity, 'Your personal information,' to read contact data, and 'Hardware controls' to record audio - none of which will ring alarm bells if the app is marketed as a voice recording tool.
Once installed, however, Soundminer sits in the background and waits for a call to be placed - hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number.
The software works for both spoken numbers, as requested by some voice-activated IVR systems and by human operators, and numbers typed into the virtual dialpad on the phone - recognising the DTMF tones and translating them back into numbers again.
As Soundminer doesn't have access to the 'Network communication' category, it's unable to transmit the data it captures - relying on a second app, called Deliverer, which exists purely to relay the data to the attacker.
Predicting that this kind of attack could take place, Google has made it difficult for two applications to transfer data to each other without the user knowing about it. Working around this, the team found that if they used Soundminer to modify hardware settings such as backlight timeout and ring volume, the Deliverer app could read those settings back without arousing suspicion - a covert back-channel that makes fooling the user significantly easier.
In the team's research paper (PDF), they suggest a defence mechanism against Soundminer: an intermediary layer that analyses input from the microphone before passing it to an application, able to detect credit card numbers and prevent their transmission to Soundminer-like Trojans.
The researchers are due to present their findings at next month's Network & Distributed System Security Symposium in San Diego, but if that's too far away - geographically or temporally - you can check out a video of Soundminder in action below.
It's been a bad day for Android, as earlier we reported on an exploit that turns a handset running the OS into a USB snooping device.