A group of security researchers have created an experimental trojan for the Android platform which can detect and record spoken or inputted high-value information, like credit card details, during phone calls.
The proof-of-concept app is dubbed "Soundminer" and is the creation of Roman Schlegel from the City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and Xiao Feng Wang from the Indiana University Bloomington.
According to THINQ, the app can be distributed as a call or voice recording tool and asks for the "phone calls," "personal information," and the "hardware controls" permissions on installation.
Once running on a phone, Soundminer records all calls silently and then analyzes them locally for sensitive information based on configured data profiles.
The extraction can also be influenced by the called number, like that of a known phone banking hotline.
The rogue app can recognize both spoken and inputted credit card numbers as requested by interactive voice response (IVR) systems.
It can determine the DTMF tones made by presses on the virtual keyboard and can convert them back into their equivalent digits.
By itself, the trojan can't send the data out. Requesting for network access during installation might attract suspicion, because a recording app does not need to communicate with the Internet.
Therefore, the pieces of information extracted by Soundminer need to be siphoned off the phone with the help of another network-enabled "deliverer" app.
But since Android's architecture prevents apps from exchanging data with each other, the researchers were forced to come up with an unusual way to relay the information from the trojan to the deliverer.
They achieved this by having Soundminer modify settings like backlight timeout or the ring volume in sequences that are meaningful for the deliverer app.
"Soundminer performs efficient, stealthy local extraction, thereby greatly reducing the communication cost for delivering stolen data.
"Soundminer automatically infers the destination phone number by analyzing audio, circumvents known security defenses, and conveys information remotely without direct network access," the researchers write in the paper. [pdf]
The team proposes a defense layer which involves an editable list of phone numbers for which call recording is disabled by the operating system itself.
Soundminer will be presented at the upcoming Network & Distributed System Security Symposium in San Diego, but a demo video is already available online.