Researchers have developed a proof-of-concept Android program that can literally keep an ear out for credit card numbers.
Dubbed Soundminer, the software uses the phoneâs microphone to listen for credit card numbers spoken aloud, or typed into the phone, Forbes reports. It was developed by six researchers at Indiana University and the City University of Hong Kong, who plan to demonstrate it next month at a security symposium in San Diego.
The team set out to show how even a smart user — one who doesnât give unknown programs access to their keyboard or web browsing — can be tricked. If a strange application asks for access to their phoneâs microphone instead, they may be less inclined to think it could steal their data. As they speak or type credit card numbers, Soundminer then records their information.
The software also doesnât require access to a network connection to transmit data. It instead relies on a sneaky âcovert channelâ — one that allows apps to send small bits of data to other apps — to forward the stolen information to an app called Deliverer, which in turn sends the data to a hacker. According to the researchers, the Deliver app could be installed automatically upon Soundminerâs installation.
âThe covert channels that the researchers identify include the phoneâs vibration, volume, and screen wake-up settings, all of which are shared with other applications when theyâre changed,â writes Forbes’ Andy Greenberg. âBy tweaking those settings in a certain pattern, Soundminer sends a simple secret code to Deliverer, which in turn passes it on to the hacker. And because Soundminer extracts the credit card number from the audio track rather than transmit the entire file, it only has to share 16 digits with Deliverer, easily small enough for its subtle communications to the other malicious app.â
Being the product of researchers, and not malicious hackers, Soundminerâs real purpose is to expose the security flaw in Android. In their paper on Soundminer (PDF link), the researchers propose that users can disable audio feedback noises, and Google could implement better app permissions, to plug the security exploit.
Check out a video of Soundminer in action below: