If you own an Android device, your phone could soon be used against you. Research released in late September introduced a new tool that targets Android devices by taking control of the camera to surreptitiously snap photos that can be used to build 3D images of a user’s environment. This evolution of mobile malware could be used to facilitate burglaries and espionage, not to mention to violate users’ personal privacy.
The work, conducted by researchers from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing, introduced this new type of malware, known as PlaceRaider. While mobile malware has largely been restricted to Trojans that target sensitive information stored on mobile devices, this new breed ups the ante of previously high-end mobile attack tools that could remotely turn on the microphone of a device to record and monitor a user’s conversations.
“Remote burglars can thus download the physical space, study the environment carefully and steal virtual objects from the environment such as financial documents, information on computer monitors and personally identifiable information,” the researchers wrote in their paper.
“Remote burglars can thus download the physical space, study the environment carefully and steal virtual objects from the environment such as financial documents, information on computer monitors and personally identifiable information.”
What makes PlaceRaider so insidious is that it would only require a user to inadvertently download a malicious camera app for it to work. From there it would rely on the fact that most users typically disregard permission warnings to grant the app the access it needs to do its work. Those permissions include the ability to access the camera, write to external storage and connect to the Internet – permissions that most camera apps already require and thus are unlikely to alarm a user.
The harmful app would also disable the audible shutter sound that cameras typically make when a photos is taken and would also deactivate the photo-preview feature, thereby eliminating two obvious hints that the camera was at work without the user’s direction.
What’s more, PlaceRaider also gains access to data from a mobile device’s accelerometer, gyroscope and magnetometer, data that would give an attacker orientation readings for each piece of data.
The entire attack can be automated: The app runs in the background, the camera can be programmed to snap photos at desired intervals, and computer algorithms can be used to determine what information collected is relevant and what is not. This means that mass quantities of sensitive information can be collected and sifted through at a rapid rate.
While this is a potentially troubling development for consumers, PlaceRaider also could be used as a surveillance tool that endangers military bases and sensitive business environments.
Perhaps the lone shred of good news to come from this report is that of a potential solution: The researchers wrote that operating platforms could be adjusted to allow images to be captured only with the physical push of a button.