Researchers Demonstrate 3D Spy Trojan for Mobile Phones

A team at the University of Indiana has created a program that, once it infects a mobile phone, can use the device as a remote-control spy that creates a 3D representation of places where the victims walks, such as an office or room in the home.

Most people worry about traditional viruses and Trojans—the malware that could infect their computer and steal data or use the system's resources to attack other computers. Yet new research shows that people should, perhaps, worry more about their ever-present mobile phones and the devices' ability to record their lives.

Researchers at the University of Indiana at Bloomington and the Crane Division of the Naval Surface Warfare Center (NSWC) created a program to use a phone's camera to take surreptitious pictures of its surroundings, weed out poor photos, and send the remaining stills back to be used to construct a 3D model of the environment. Called PlaceRaider, the project shows that virtual thieves and spies could identify and steal information from a remote location, the researchers said in a paper posted online on Sept. 26.

The attack underscores that smartphones are more than just computers. They are also sensors, with cameras, accelerometers and microphones. Attackers using "sensor malware" could use those additional capabilities to gather information not available to run-of-the-mill computer malware.

"From the attackers’ perspective, they can significantly increase their capabilities by using these programs and devices," said Apu Kapadia, an assistant professor in informatics and computing at Indiana University, Bloomington, and one of the authors of the paper. "Not only do they have access to your digital data on your device, they can listen to your environment; they can look at your environment; and they can feel the environment through the accelerometer."

In the paper, the researchers used PlaceRaider to take opportunistic pictures of the phone's current environment and then used the photos and motion information from the accelerometer to create 3D models of the environments. Digital thieves and attackers can use these models to identify objects of interest within the environment and steal information on computer monitors, financial documents or other information lying around.

Students using the 3D model were better able to detect coarse features of the environment, such as the number of doors, chairs, desks and windows. While test subjects looking at the photos identified many objects of interest—such as bar codes, checks, or a whiteboard—they had to sift through more than a thousand photos, rather than looking at a simply organized 3D image.

"We posit that (the 3D reconstruction) will perform much better for supporting navigation and virtual theft in larger space or multiple rooms," the researchers stated in the paper.

This is not the first time that researchers have tried to expand the reach of malware on mobile devices. In October 2011, researchers from the Georgia Institute of Technology showed that the accelerometer of a phone sitting on a desk could accurately guess the words typed on a nearby keyboard. The same year, Kapadia and a team of researchers from the University of Indiana and the City University of Hong Kong demonstrated an attack that could listen to phone conversations and grab sensitive details, such as credit-card numbers.

Defending against such attacks is difficult. Many of the sensor features that attackers will likely abuse are also highly useful for smartphone owners, says Kapadia. Permission changes, especially for the accelerometer, could help slightly. Forcing the camera to make a shutter sound may also help. In addition, people should start thinking about leaving their devices behind in certain circumstances.

"Don't take your phone into your bathroom or your bedroom," he said. "Be careful about the environment that you are giving it access to."

Yet, convincing consumers to leave their personal device behind will be difficult, he said, adding that he often leaves his phone by his bedside, because he uses it as an alarm clock.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...