The researchers behind the proof-of-concept Android malware – called Soundminer – are calling their creation 'sensory malware' and have posted a YouTube video, as well as further details of their research in a white paper on the web.
The research teams from Indiana University in Bloomington and the University of Hong Kong claim that the malware has ability to monitor Android user's phone calls and steal account numbers spoken or entered via the number pad.
Reporting on this potentially serious development in the open source world of Google Android, the Myce newswire quotes researchers as saying that their sensory malware listens in and then steals financial data.
In operation, the newswire says that Soundminer "innocently asks users for permission to access their handset's microphone, something that most people likely wouldn't think twice about granting."
"It does not, however, ask for permission to access the Android smartphone's network, though it can still transfer small amount of information along a 'covert channel' to another app called Deliverer. That application will then transmit the data to a remote server", adds the newswire.
By applying a pattern analysis to the voice call, Soundminer appears to be able to 'predict' the likely content of a voice call – such as an interaction with an interactive voice response service on a bank computer – and attach a cybercrminal 'value rating' to the data spoken or input via the phone's keypad.
If the rating is high enough, the malware records the data stream and then relays it to a distant server.
The researchers have published a paper on their project, noting that, when they tested conventional IT security software such as VirusGuard and Droid Security's AntiVirus, neither had the ability to identify the threat even as it was actively recording audio or uploading data.
Infosecurity notes that CNET also reported on the story and when its reporters contacted Google, they responded with a standard email: "If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device", said the Google response.
As the Myce newswire says: "as we continue to be more connected as a global society, we will begin to see more of these types of threats."
"Security measures obviously need to be set to a higher standard by manufacturers that develop these devices, as well as by the companies who are running the app stores."