Researchers at the University of Alabama at Birmingham say they have developed and tested malware that can be triggered on a smartphone using light, sound, magnetic fields or vibration – posing a critical new cyber-security threat.
In a paper released this month at a cyber-security symposium in Hangzhou, China, the researchers said the multitude of sensors on today’s mobile devices presented opportunities that designers of malware could exploit for a variety of purposes.
“The sensors can be used for out-of-band communication among malware-infected devices as well as for targeted command and control,” the paper said. “Malware can be triggered or commanded via audio/visual signaling transmitted through television or radio broadcasts.”
The researchers said that unlike traditional command and control communication over a centralized infrastructure such as a cellular network, out-of-band communication was very hard to detect “and even harder to prevent.”
“In addition to the misuse of the various traditional services available on modern mobile devices (such as phone calls or SMS/MMS), we posit that this malware can be used for the purpose of targeted context-aware attacks,” the paper said.
“For example, a malware that gets triggered in a movie theatre, via say a hidden audio signal embedded in a commercial, can be used for causing annoyance or even chaos; imagine, for instance, the infected devices in the theatre all playing a loud song or a siren suddenly.”
The researchers said they had built a proof-of-concept malware application using an off-the-shelf mobile phone on the Android platform to demonstrate the feasibility of their theories.
“We conducted several experiments to validate the effectiveness of these channels for command and control. Some of our experiments were conducted in real-life setting and further confirmed the threat.”
They said their intention was to raise awareness about new threats and motivate fellow researchers, device manufacturers and OS designers to build and deploy defenses before such attacks were launched in the wild, which they warned could happen “in the near future”.
“Although we are presenting essentially a new generation of attack against mobile devices, the purpose of this work is ethically sound and constructive,” they said. “By pre-empting the design of this attack and possibly staying ahead in the game against real attackers, our vision is to eventually come up with an effective defense.”
The paper suggested some ways of combatting the threat.
“An intrusion detection application running on the mobile phone itself can detect the sensor-based signaling and prevent the malware application from receiving it by monitoring the sensor data stream,” the paper said.
Instead of giving apps direct access to sensors, a virtualization layer could be created between the sensors and the applications which included a monitor to determine whether malicious activity was taking place.
“The downside of this approach is that it may be rather heavyweight and requires the phone to monitor a large number of sensor readings.”
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us