PoC Trojan Steals Spoken Credit Card Numbers

The age of mobile banking is upon us.  The age of mobile fraud is about to escalate. 

A team of security researchers from 2 universiteis has created a proof-of-concept Trojan for Android smartphones that listens for typed or spoken credit card numbers, and relays them back to the mothership.  They are calling their creation ‘Soundminer’ and its has far reaching implications.  This is the sort of thing that we can expect on the threat horizon for the next few years.  Attacks are going to be moving away from corporate control choke-points, and further towards the end-user where there are likely to be less complex and fewer controls in place.

In order to minimize nefarious activity, software on Android platforms must request permission for each system function accessed.  These requests are grouped into categories and are presented to the user during installation.  The user is expected to make decisions about what to allow and what not to allow.  As is typical when relying on wetware to make security decisions, these are not always WELL INFORMED decisions.  Soundminer takes a novel approach to by-passing these restrictions by justifying its access requests to the ‘Phone calls’ category for reading phone state and identity information, to ‘Your personal information’ to read contact data, and to ‘Hardware controls’ in order to record audio.  These would seem normal enough, and none would set off alarm bells in an app marketed as a voice recording or call optimization tool.

Once installed, Soundminer sits in the background, waiting.  When triggered by the placing or receiving of a call, the application listens for specific keystokes or sounds made during a connection, typically indicating the passing of credit card information or a PIN entry, and silently records the information.  The software works for both spoken numbers, as requested by some IVR systems and human operators, and numbers typed into the dialpad on the phone.

As Soundminer does not have access to the ‘Network communication’ category, it is unable to directly transmit the data that it captures.  Instead, it relies on a second app, called Deliverer, which exists purely to relay the data to the attacker.  Google has tried to make it difficult for two apps to transfer data to each other without the user being aware.  The team found that if they used Soundminer to modify hardware settings such as backlight timeout and ring volume, the Deliverer app could read those settings back without arousing suspicion.  This provides a covert back-channel that makes fooling the user significantly easier.  In the team’s research paper (PDF), they suggest a defence mechanism against Soundminer, making it able to detect and prevent the transmission of credit card numbers by similar Trojans.

Their findings are due to be presented at next month’s Network & Distributed System Security Symposium in San Diego.