Pulling out your phone in a cinema or a room with flickering lights could be enough to trigger malicious software on your smartphone, researchers have found.
Mobiles infected with hidden malware could be triggered if their in-built sensors – microphones, cameras or vibration sensors – picked up pre-defined signals hidden in songs, TV programmes or flickering lights.
Researchers at the University of Alabama ran a set of prototype apps on an HTC Evo running on Android 2.2.3 (Gingerbread) which could access the phone’s sensors. Aside from cameras and microphones, smartphones also contain sensors that can detect vibrations or magnetic fields, which the researchers said could be similarly compromised.
The embedded malware was programmed to remain dormant until the sensor picked up the relevant trigger – which could be anything from a song played over the radio to a specific pattern of flickering lights.
Once triggered, the activated malware would then carry out the programmed attack, either by itself or as part of a wider botnet of mobile devices.
Since most antivirus software doesn’t monitor how apps use standard smartphone features like cameras and microphones, the researchers said malware programmed for sensors posed a huge risk.
"When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks," lead researcher Dr. Ragib Hasan said in a paper. (pdf)
"We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that."
Since the trigger needs to be relatively close to the smartphone to active any hidden malware, any threats would be limited to the local environment.
For example, since audio signals can only travel so far without interference, an infected smartphone would need to be somewhere contained, like the cinema, for an audio trigger to work.
But researchers found they only needed a short distance to transmit their triggers, and that they could even overcome background noise.
There was also nothing to stop them activating multiple infected devices in one go, creating a localised botnet to wreak some highly concentrated mayhem.
For example, if there were a number of infected smartphones in an airport, hackers could use the wider botnet to launch a denial-of-service attack and bring down the building’s Wi-Fi or other systems.
The researchers found that cameras and microphones were the most effective way to trigger malware, but also noted that a heavy bass pattern could trigger the vibration sensor.
The emergence of NFC as a payment mechanism also poses a potential danger, since particularly unscrupulous hackers could attach magnets to NFC readers and trigger a phone’s magnet sensors.
Although that means attacks would be limited, the researchers said they could still take place even if phones were kept in phones or bags.
Scouring sensor samples
The researchers focused on Android, namely because apps are allowed to run in the background and access features like the microphone without restriction.
Although they didn’t test iOS for similar weaknesses, they suggested that Apple’s restrictive policies might make it more secure.
As a possible defence, they suggested that anti-malware software should scan sensor data for signs of any hacks – though that isn’t foolproof since that’s a "heavyweight" operation, and many apps make legitimate use of sensors anyway.
Another solution could be to track how much battery sensor-using apps take up, since anything using more than one would need more power.