back to article Malware gets your Android blabbering to HACKERS

Researchers from the Chinese University of Hong Kong have developed bizarre malware that dictates contacts, emails and other sensitive text data in order to steal it. In the novel attack a seemingly innocuous app that required no permissions called a bad guy's phone number and blabbered the stolen data out of the speakers and …

  1. Anonymous Coward
    Anonymous Coward

    OK, got to admit, a clever line of thinking there. The way around this is to switch to <insert your carrier here>, no signal, no problem....hello, hello.

  2. thomaskwscott

    Already working on an IOS version? Find "ok google" and replace with "siri"...

    1. RyokuMas Silver badge
      Stop

      "Already working on an IOS version? Find "ok google" and replace with "siri"..."

      Doubt that will work, given the hoops you have to jump through to get an app up on the store - same with Windows Phone, Amazon... compared to Play, where you just pay your $25 and upload away...

      "The price of freedom is eternal vigilance..."

      1. Blain Hamon
        Boffin

        You know, I've joked about security through inability before...

        Although this is probably intentional, Siri doesn't always listen like GVS; instead, you must press and hold the home button (or, if you have it enabled (it's disabled by default), hold the phone up to your ear) before it even starts listening. Access to the home button state (Both to read and to write) are not exposed to the app, so it's not currently possible to for the app to trigger this.

        Mind you, what I just said was on a bog-standard iPhone. On a jailbroken iPhone, all bets are off.

      2. Anonymous Coward
        Anonymous Coward

        "hoops"

        It requires zero permissions. Make it an alarm app with cat pictures for "cat health training" because everyone loves fitness apps, and that will pass scrutiny.

        The only difference is I'd assume Apple would be quicker to take down any app found to have been reported. I doubt their current system scans for audio files specifically requesting "Siri browse to scamsrus.go.tu".

        [edit]

        Though it appears Apple have one good idea, user input before taking action. Google does not need this because it's there to collect data, not sell you pretty phones.

  3. Frank Bitterlich

    Zero permissions?

    I admit that I'm clueless when it comes to Android, but can a "zero permissions" app really initiate a phone call? If that is the case, then this Speak'n'Steal attack appears to be not the only security problem...?

    1. Anonymous Coward
      Anonymous Coward

      Re: Zero permissions?

      It uses the Google Voice Search to initiate the call, or that's the theory.

      Theory... They play a sound file that says "Call <BadGuysPhoneNumber>" and GVS calls the number then they play sounds files to pass the information down the phone (Not sure how they get the information in the first place!)

      what actually happens.. GVS says "Sending your're an a***hole message to Boss"

  4. midcapwarrior

    Kind of impressive

    Have to say I'm impressed with novelty of the attack.

    Not sure of the utility but it sounds like a fun way to annoy

  5. Anonymous Coward
    Anonymous Coward

    Not this again

    Android viruses and similar are like the boogeyman. Often discussed and never seen in the wild.

  6. Randy Hudson

    Why is Google Voice Search even active when the phone is emitting any sounds? Seems like a pretty obvious source of false positives, as well as wasted processing/battery.

    1. Anonymous Coward
      Anonymous Coward

      I think they just want all data. Even if it's all noise, you can advertise the bottom line of figures...

    2. Boothy Silver badge

      You would have through as part of the voice control function, it would have automatically ignored anything coming from its own speaker!

  7. Shaha Alam

    why is there no permissions to control access to the speaker?

    oh right, the fart apps.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020