In the wake of the ‘premium SMS’ link, it’s worth pointing out that smartphone malware can do a lot more damage than adding some pricey line-items to the user’s phone bill. Researchers have figured out all sorts of neat ways to use smartphones for spying on the user (and whatever the user has access to): taking photos of where the person lives and works, reading all their data, listening to whatever’s being said in the person’s vicinity, and even keylogging nearby keyboards with the phone’s accelerometer. [the last one was covered here a while back]
Sure, using malware to make money is a little more tempting for most people. Watching and listening to others’ lives is cruddy, boring work. But as the researchers point out, it’s hard to say this isn’t already happening in cleverly disguised ways — there are a number of apps out there that just happen to ask for ‘permission’ to do many of these things, even though they shouldn’t need to.
“”From the attackers’ perspective, they can significantly increase their capabilities by using [smartphones as a sensor platform],” said Apu Kapadia, an assistant professor in informatics and computing at the university, and one of the paper’s authors. “Not only do they have access to your digital data on your device, they can listen to your environment, they can look at your environment, and they can feel the environment through the accelerometer.”
Other research efforts have also looked at mobile devices as potential spies into the workplace. A year ago, researchers from the Georgia Institute of Technology showed how an attacker could record information typed into a keyboard using the accelerometer of a phone laying nearby on a desk. And Kapadia and other researchers had previously looked (PDF) into using voice recognition to recognize important information during phone calls, such as credit-card account numbers. […]
While there are no in-the-wild samples that suggest malware writers have matched researchers’ visions, many applications on the Android operating system have broad permissions that allow them to do some of the basics, such as make phone calls, turn on the microphone, and send SMS messages, says Dan Hoffman, chief mobile security evangelist at Juniper Networks.
In a yet-to-be-published study of 1.7 million applications, Juniper has seen that many applications have basic spyware features, even when it’s not warranted by the program’s functionality. When a program for displaying comics has the capability to use the phone in the background, that’s odd, Hoffman says.
“That’s something that could be malicious in nature, or it could be something that shouldn’t be in an application and is kind of overreaching,” he says.”