Sign in with
Sign up | Sign in

Loudmouth Android Malware Speaks Your Secrets

By , Jill Scharr - Source: Tom's Guide US | B 2 comments

A new type of Android malware talks about you behind your back — and like a rebellious teenager, it doesn't need your permission to blab your secrets late into the night.

Security experts at the Chinese University of Hong Kong detailed the malicious app, which they created and called VoicEmployer, in a paper titled "Your Voice Assistant Is Mine." It leverages Android's Google Voice Search, and since users generally need to be present for voice commands to work, no permissions are necessary for the app.

Once VoicEmployer is installed on a phone, it plays a low-volume audio file that says "Call number," then recites a phone number belonging to the malware's controllers. Google Voice Search hears the command and dials the number. Before you know it, your phone is whispering your sensitive data into the microphone.

MORE: Best Android Antivirus Software 2014

VoicEmployer asked Google Voice Search questions that warranted verbal responses: "What is my IP address?" "Where is my location?" "What is my next meeting?" A malefactor could even extract personal data by asking Google Voice Search to send an email, access a photo or listen to voicemail.

VoicEmployer might not be a particularly efficient method of data exfiltration, since calling victims at inopportune times and listening to data being recited takes some doing. But it could be an ideal way to target individuals, either to steal information from them or to wage psychological warfare through alarms in the middle of the night, whispered threats and the like.

Testing VoicEmployer on a Samsung Galaxy S3, a Meizu MX2 and a Motorola A953 (renamed Droid 2 in the United States), the researchers also found a vulnerability that lets VoicEmployer activate features even when the phone is locked. The malware tricks the phone into thinking a Bluetooth device — which, by default, can make hands-free voice commands to a phone — is connected.  

"In theory, nearly all Android devices equipped with Google Services Framework [Google's built-in Android apps such as Voice Search] can be affected," the researchers wrote in their paper.

It was previously thought that apps with zero permissions couldn't do much damage, because they shouldn't be able to access a phone's most sensitive features. Yet if security experts could come up with such a program, so could enterprising cybercriminals. An app that required no permission could easily hide in any other app, including social media, streaming video or games.

There isn't much users can do to prevent this from happening; the fix to Google Voice Search will have to come from Google's end. Until then, avoid apps from questionable developers, keep your phone close at hand and consider turning it off at night — or checking the call record in the morning.

 Jill Scharr and Marshall Honorof are staff writers for Tom's Guide. You can follow Jill on Twitter @JillScharr and on Google+. Follow Marshall @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -6 Hide
    Alec Mowat , July 29, 2014 10:54 AM
    It's why I have an iPhone. I like my cellphone to be locked down. It works, like a phone, when I need it to. Everything else is just a plus. Stable and virus free, all apps are reviewed prior to release.
  • 6 Hide
    dstarr3 , July 29, 2014 11:31 AM
    Yes, but by buying an iPhone, you're stuck with an iPhone. And that's a fate far worse than any malware.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS