Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones

Please note that the name of the malware discussed in the article below has been changed by the security researchers from ‘Soundminer’ to ‘Soundcomber,’ to avoid potential trademark issues with the “Soundminer” name. The malware discussed in the article is not related to or connected with Soundminer Inc., a Canadian firm specializing in the manufacture and sale of audio software to manage audio files.

We introduce Soundcomber, a “sensory malware” for smartphones that uses the microphone to steal private information from phone conversations. Soundcomber is lightweight and stealthy. It uses targeted profiles to locally analyze portions of speech likely to contain information such as credit card numbers. It evades known defenses by transferring small amounts of private data to the malware server utilizing smartphone-specific covert channels. Additionally, we present a general defensive architecture that prevents such sensory malware attacks.

Publications

Our research paper, which was presented at NDSS 2011:
Roman Schlegel, Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang, “Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones,” In Proceedings of the 18th Annual Network & Distributed System Security Symposium (NDSS ’11), pp. 17–33, San Diego, CA, February 6–9, 2011.

Video Demo

Click here to watch it on YouTube

Talks

CERIAS Talk, Nov 30, 2011.

Interviews, quotes

Insurance Networking News, “A False Air of Security”, Apr 1, 2011.
Indiana Daily Student, “New IU malware records data from cell phones”, Feb 1, 2011.

Media coverage

Communications of the ACM, “Stopping the Leaks”, Jan 2013.
Insurance News
, “Can Voice Biometrics Hack Computer Security?”, Nov 14, 2011.
Today @ PCWorld, “Android Users: Here’s Some Advice To Protect Your Phones,” Sep 25, 2011.
SC Magazine, “RSA Conference 2011: Smartphone threats imminent, security lacking”, Feb 17, 2011.
eSecurityPlanet, Feb 14, 2011.
OnSoftware Blog, “Four simple rules for smartphone safety”, Feb 10, 2011.
My Consumer Electronics, “New Android “sensory malware” listens in, steals financial data”, Feb 10, 2011.
Infosecurity, “Android ‘sensory malware’ steals financial data on the fly”, Feb 10, 2011.
Computerworld Blogs, “Sensory malware: Android app listens then steals credit card data”, Feb 8 2011.
Storefront Backtalk, “M-Commerce Insecurity Is Outrunning Mobile Payments”, Feb 2, 2011.
Schneier on Security, “Trojan Steals Credit Card Numbers”, Jan 29, 2011.
Technologijos.It, “Trojos arklys „Android“ OS – kreditinių kortelių duomenims surinkti”, Jan 24, 2011.
Security.NL, “Mobiele malware kaapt gesproken creditcardnummers”, Jan 24, 2011.
Help Net Security, “Android malware records and steals credit card numbers from phone conversations”, Jan 24, 2011.
Eliax, “Nuevo troyano roba tarjetas de crédito que dictes por tu celular Android”, Jan 21, 2011.
Le Monde Informatique, Jan 21 2011.
Network World (Spain), “Desarollan un troyano que roba información de los móviles Android”, Jan 21, 2011.
CreditNet, “Trojan steals credit card numbers from Android phones”, Jan 21, 2011.
THINQ.co.uk, “Android Trojan captures credit card details, spoken or typed”, Jan 20, 2011.
PC World, Jan 20, 2011.
Slashdotted, Jan 20, 2011.
BigNews.Biz, Jan 20, 2011.
AndroidAppTests.com, Jan 20, 2011
PC Space, “Android dokáže rozpoznať číslo kreditnej karty”, Jan 20, 2011.
VentureBeat, Jan 19, 2011.
Forbes Blog, “Researchers’ Android Trojan Can “Hear” Credit Card Numbers”, Jan 19, 2011.

Acknowledgment

This research was funded in part by the National Science Foundation under grants CNS-0716292 and CNS-1017782. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.