Trojan Steals Credit Card Numbers
It’s only a proof of concept, but it’s scary nonetheless. It’s a Trojan for Android phones that looks for credit-card numbers, either typed or spoken, and relays them back to its controller.
Software released for Android devices has to request permissions for each system function it accesses—with apps commonly requesting access to the network, phone call functionality, internal and external storage devices, and miscellaneous hardware functions such as the backlight, LED, or microphone. These requests are grouped into categories and presented to the user at the point of installation—helping to minimise the chance of a Trojan slipping by.
Soundminer takes a novel approach to these restrictions, by only requesting access to ‘Phone calls,’ to read phone state and identity, ‘Your personal information,’ to read contact data, and ‘Hardware controls’ to record audio—none of which will ring alarm bells if the app is marketed as a voice recording tool.
Research paper here. YouTube demo. Another blog post. Research paper; section 7.2 describes some defenses, but I’m not really impressed by any of them.
Henning Makholm • January 29, 2011 7:59 AM
“Hardwars controls” does sound like an awfully broad permission to give.