A new virus targeting Android-powered smartphones has been uncovered by CA security researcher Dinesh Venkatesan. This could be the first virus to really violate the security of the device by actually recording your phone conversations. All it takes is duping a phone owner to click “install” on an app installation page that looks very similar to legitimate apps, and the malware is secreted on their phone ready to be triggered when a call happens.
Previous viruses have logged call activity, and other Android viruses have caused unpleasantnesses like sending SMSs without user consent, or uploading private user data to unauthorized servers–perhaps for later criminal use, when it comes to credit card details. But this new beast is particulary potent, and a complete violation of personal security. Although installing the trojan involves direct user complicity, this isn’t necessarily a barrier to it spreading because the average user certainly clicks on unsolitcited emails, and with a bit of social engineering could easily be duped into installing the virus while thinking they were getting something legitimate (a classic “trojan horse” attack).
The one plus side is that the virus doesn’t do anything with the phone call data–it simply records the calls in AMR format on the phone’s internal SD card storage (in a folder called “shanghzou/callrecord” hinting the code is Chinese in origin, or that we’re meant to think so). But as is possible with sophisticated hack attacks that target personal computers, it’s completely possible that the files could be accessed later by a malicious hacker, especially since the virus also stores a special configuration file that contains data about what’s going on, and the status of a remote server. At some point in the future, the virus could be triggered to quietly upload the recordings to a computer elsewhere.
And then what? It’s possible it could be used in a targeted manner, as a much more sophisticated “phone hack” than the one behind the scandal at Ruper Murdoch’s U.K. newspapers. And don’t forget all those phone calls you make to your bank to adjust your account, or to stores to place a “secure” credit-card order. These conversations have rich data that could very easily be used for fraud.
The virus is a sign that hackers are getting innovative, and exploiting the advanced technology that we’re all carrying around in our pockets. But we can also draw a lot of lessons about innovation from this news too: Google’s open approach to the way Android OS works is part of its success, but it also exposes users to increased risk–a hack like this on the iPhone would be much trickier.
As Android becomes increasingly popular, Google may be forced to tweak Android to make it more secure. Or it may be necessary to build in a more sophisticated user alert system–perhaps demanding a user to consider the security implications of allowing a specific app access to key phone features while they’re downloading it, or forcing the user to make some kind of security gesture (like writing their signature on the screen, and getting it correctly recognized) in order to highlight that they may be opening themselves up to a hack. We may also see a rapid growth in anti-viral software for Android smartphones and tablets. With smartphone use exploding, the industry’s big players will only have more at stake with each passing security breach.
[Image: Flickr user majuhah]