The proof of concept malware, dubbed PlaceRaider, was designed by researchers working for the U.S. Navy and the University of Indiana.
Running on Android mobile devices, it was designed to call attention to the ways that rapidly evolving mobile platforms might enable new forms of virtual theft.
Writing in a paper (pdf) published Thursday, the researchers said more powerful phones have created an opening for what they dub “sensory malware” that leverages the growing number of on-board sensors in the latest model mobile phones like the iPhone 5 and Android devices.
To prove their point, the researchers created PlaceRaider to demonstrate how remote hackers could construct “rich three-dimensional (3D) models of the smartphone’s owner’s personal indoor spaces”.
The malware uses a phone’s embedded sensors such as its GPS and accelerometer to determine when the victim was moving within the space. The onboard camera was then used to opportunistically snap shots of interior spaces and transfer them to a remote server which then assembles them to form a 3D model of the space.
Androids were particularly well-suited for the task. The authors noted, with surprise, that the Android API doesn’t require any special permissions for an application to access sensor data on the phone, such as the accelerometer or gyroscope.
And users could easily be tricked into granting those permissions that were needed – such as to access the camera or write to local storage – by bundling PlaceRaider into a camera app, the authors said.
In a test, the researchers installed PlaceRaider on a subject’s phone and tracked their movements and the spaces they occupied.
Researchers tested the ability of the application to export large quantities of data, and of the test subjects to then use that data to snoop on occupants: zooming in to observe the content of information displayed on computer screens or papers in the target’s home or workplace, according to the research report.
PlaceRaider and other malicious “sensory” applications like it are well within the capabilities of modern phones and modern malware authors.
However, they did have to clear some technical hurdles in implementing it. Heuristic sensors were needed to weed out junk photos that didn’t reveal any new information about a space and the volume of data collected by the malware is large enough that it could overwhelm a phone. That required the authors to create a way for PlaceRaider to automatically compress the data it was transmitting.
In addition to the malware, the authors also created tools to exploit the data the application collects. For example: they built a tool that would allow attackers to visually navigate a victim’s 3D space and zoom in on areas that might contain sensitive information. The phone could then be instructed to retrieve new, high resolution images of those spaces.
The authors recommend a number of changes to smartphones to make malware like PlaceRaider harder to implement.
Android and iOS devices could require permissions to access sensor data, and could alert users when applications appear to be using sensors – including the camera – in surreptitious ways.
Even small changes would have made it harder for PlaceRaider to achieve its goals. For example: phone makers might require physical interaction with the phone to operate the camera, or make it impossible to take a photo without the shutter sound.