Cool New Malware/Spyware ;)

[Renegade]

Saw this little story on some new, pretty sophisticated software that spys on you, maps your house layout using the camera and sensors (gyro):

http://www.washingto...phone-camera-spying/

New software uses smartphone camera for spying


Researchers from the U.S. Naval Surface Warfare Center have developed malicious software that can remotely seize control of the camera on an infected smartphone and employ it to spy on the phone’s user.

The malware, dubbed “PlaceRaider,” “allows remote hackers to reconstruct rich, three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera,” the researchers said in a study published last week.

The program uses images from the camera and positional information from the smartphone’s gyroscopic and other sensors to map spaces the phone’s user spends a lot of time in, such as a home or office.

“Remote burglars” could use these three-dimensional models to “study the environment carefully and steal virtual objects [visible to the camera] … such as as financial documents [or] information on computer monitors,” the researchers reported.

First reported here:

http://threatpost.co...llance-device-100112

Mobile malware has largely been limited to Trojans buried inside a malicious app targeting sensitive data stored on the phone such as email, contact information and SMS messages. A new proof-of-concept piece of malicious software, however, expands the scope of mobile malware and essentially turns an Android device into a surveillance tool, bringing a while new range of security and privacy implications into the equation.

Researchers from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing introduced PlaceRaider late last week, putting a new spin on burglary and espionage while coining the term visual malware. PlaceRaider exploits innate weaknesses in Android to use the phone’s camera to surreptitiously take photographs, and send that data off to a command and control server where an attacker could build a 3D model of the victim’s environment.

“Remote burglars can thus download the physical space, study the environment carefully and steal virtual objects from the environment such as as financial documents, information on computer monitors and personally identifiable information,” the researchers wrote in a paper published last week.

The announcement:

http://arxiv.org/pdf/1209.5982v1.pdf

PlaceRaider: Virtual Theft in Physical Spaces with Smartphones
Robert Templeman
y;z
, Zahid Rahman
y
, David Crandall
y
, Apu Kapadia
y
y
School of Informatics and Computing
zNaval Surface Warfare Center
Indiana University Crane Division
Bloomington, IN, USA Crane, IN, USA
September 27, 2012
Abstract
As smartphones become more pervasive, they are increasingly targeted by malware. At the
same time, each new generation of smartphone features increasingly powerful onboard sensor
suites. A new strain of `sensor malware' has been developing that leverages these sensors to steal
information from the physical environment | e.g., researchers have recently demonstrated how
malware can `listen' for spoken credit card numbers through the microphone, or `feel' keystroke
vibrations using the accelerometer. Yet the possibilities of what malware can `see' through a
camera have been understudied.
This paper introduces a novel `visual malware' called PlaceRaider, which allows remote at-
tackers to engage in remote reconnaissance and what we call \virtual theft." Through completely
opportunistic use of the phone's camera and other sensors, PlaceRaider constructs rich, three
dimensional models of indoor environments. Remote burglars can thus `download' the physical
space, study the environment carefully, and steal virtual objects from the environment (such
as nancial documents, information on computer monitors, and personally identiable informa-
tion). Through two human subject studies we demonstrate the eectiveness of using mobile
devices as powerful surveillance and virtual theft platforms, and we suggest several possible
defenses against visual malware.

Seriously... check the PDF - I'm too lazy to fix that.

Anyways, it's some pretty sophisticated stuff. Guess the crackers have new competition.

[f0dder]

Too lazy to read the PDF, but...

how often do any of you guys have your smartphone camera pointed at anything interesting? When I'm carrying mine around, it's usually in one of my pockets. *If* the camera can be activated while making phone calls, I guess I could be mapped - while I don't do a lot of phone calls at home, I do tend to shuffle around when I do.

[Renegade]

You're sitting at your desk. Someone calls. You raise your phone to see whose calling. They just nabbed your computer screen.

Yep - Boring most of the time, but it's those little, opportune moments that count, and they're probably more common than you'd initially think.

As for the PDF, it gets into some technical stuff that's interesting, but probably not worth the time for most people to read it.

[f0dder]

You're sitting at your desk. Someone calls. You raise your phone to see whose calling. They just nabbed your computer screen.

-Renegade (October 03, 2012, 07:55 AM)

Taking the phone from my pocket, they'd get snaps of my floor, and perhaps (if lighting conditions are bad) some snaps of my cluttered desk. But my monitors? Nope.

If I do decide to take the call (and the camera can be activated while a call is ongoing), they'd be able to get snaps of pretty much everything in my apartment, considering how restlessly I usually shuffle around while talking

[wraith808]

You're sitting at your desk. Someone calls. You raise your phone to see whose calling. They just nabbed your computer screen.

Yep - Boring most of the time, but it's those little, opportune moments that count, and they're probably more common than you'd initially think.

As for the PDF, it gets into some technical stuff that's interesting, but probably not worth the time for most people to read it.

-Renegade (October 03, 2012, 07:55 AM)

Nope.  They'd get a blank blue screen or my speaker.  At home and at work, when I'm at my computer, my phone is on a stand and I just glance at it and hit the button if I want to answer.

[nudone]

Remind me not to take my smartphone* into my special combined S&M dungeon, top-secret classified documents store room and office (otherwise known as "the spare room").

Sounds like cool/evil technology all the same. How long before it's an everyday App and everyone starts spying on their "friends"?

*

Spoiler

I don't own a smartphone.

[40hz]

I think the talk about it being used to read a computer screen or a document on a desk is a red herring.

I think it's much more useful allowing you to confirm/discover somebody (BinLaden?) actually is somewhere; or that a someplace (communications center, weapons cache, control room?) is where the GPS coordinates say the phone is; or a something ('missing' tactical warhead, or guy in a 'bunny suit' holding a stoppered flask?) is in near proximity to the smartphone. All it would take is one quick glimpse.

Where there's a will there's a way. And where there's a confirmed coordinate for a "high value" target, there's a guy in a van 500 miles away directing an MQ-1 Predator drone towards it.
 

[Ath]

... and everyone starts spying on their "friends"?

-nudone (October 03, 2012, 08:21 AM)

Why bother if "everyone" is dumping their entire life on Facebook?

[40hz]

... and everyone starts spying on their "friends"?

-nudone (October 03, 2012, 08:21 AM)

Why bother if "everyone" is dumping their entire life on Facebook?

-Ath (October 03, 2012, 08:38 AM)

LOL! Yeah. It's almost like the guy who had a neighbor called Greta: "Anything about her sex life I couldn't learn from what I heard through our condo walls she'd be equally happy to tell me about, over a drink, down by the pool."
 

[ewemoa]

For reference, I think from a bit back:

  Emerging Security Issues Involving the Presence of Microphones and Video Cameras in the Computing Environment