Soundminer Trojan Allows Researchers to Detect Credit Card Numbers from Smartphones However, mobile applications are not devoid of risks. The growing popularity and proliferation of smart phones has made them one of the prime targets of hacking attacks.
BigNews.Biz - Jan 20,2011 - Advancements in technology have enabled manufacturers to develop more user-friendly mobile applications. The new generation mobile phones allow users to install and use operating systems and complex applications. Mobile devices with computing abilities have added to user convenience and experience. Mobile applications are now used to shop online and conduct online banking transactions.
However, mobile applications are not devoid of risks. The growing popularity and proliferation of smart phones has made them one of the prime targets of hacking attacks. All mobile applications do not come with in-built security features. Attackers take advantage of the vulnerabilities and lack of awareness among users to intrude and gain access to confidential information.
Recently, six security researchers affiliated to Indiana University and City University of Hong Kong announced creation of Soundminer, a Trojan designed to hear out Personal identification numbers (PIN) and credit card numbers typed and spoken by on an android supported smartphone. The Trojan disguises as a legitimate application and seeks access to smartphone’s microphone.
While Android devices have safeguards to detect stealth applications, Soundminer manages to extract information through covert channels such as phone vibration, screen settings, file lock and volume. The Trojan can detect Interactive Voice Response (IVR) used in interaction between user and a bank through hotline detection. The Trojan than detects interaction path of the user on the IVR through a predetermined profile for that IVR. The credit card number is detected through the tones produced during typing on the keypad. The researchers were able to dissect the feeble tones from other background sounds and identify the exact credit card number entered. The information gathered is sent to an application called Deliverer.
Several security firms have cautioned against increased threat of hacking attacks on mobile applications. Users must not tamper with the affected device and should immediately report to the designated counter crime agencies. Computer forensics experts can extract logs and deleted files to trace the crime trail.
Fortunately, the intention of the discovery was to caution manufacturers against vulnerabilities in the mobile application devices. Such sophisticated attacks from hackers may compromise information security of the user. The information extracted can be used for blackmailing, deceit, stealing funds, unauthorized transactions and identity theft. Manufacturers of mobile applications can create awareness among users on the security precautions to be adhered through online training, e-leaflets or e-flyers and videos.
Computers and mobile phones have changed the way users interact. They have also transformed the way businesses conduct transactions and transmit information. Organizations must ensure awareness on security threats among users provided with official mobile applications and laptops and WiFi devices by conducting IT training sessions and huddle meetings. A proactive approach by organizations, developers and users is crucial to reduce the instances of hacking attacks and other forms of online crime.