A group of security researchers have developed a proof of concept for malware that can listen for and steal sensitive data on Android OS smartphones.
The Soundminer Trojan can monitor smartphone use, sniff out and harvest target data such as a credit card number, then send it to an attacker over the mobile service network.
"We implemented Soundminer on an Android phone and evaluated our technique using realistic phone conversation data. Our study shows that an individual's credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real," the researchers reported.
Soundminer can be adjusted to target different types of sensitive information, and is capable of escaping detection by antivirus software.
The Android OS typically prevents communication between applications without permission, but the Soundminer Trojan can disguise the stolen data as something innocuous like a vibration command, and then share it with other malware like the Deliverer Trojan which can decode the hidden data and send it to the attacker.
Soundminer was designed to do the voice and number harvesting with the phone's processor, then pare down the data to the essential information only, reducing the amount of data to be sent as well as the likelihood it would trigger an alert.
Two popular Android antiviruses, VirusGuard and Droid Security's AntiVirus, both failed to detect Soundminer activity.
The exploit is complicated, and unlikely to manifest in the wild any time soon. Nonetheless, criminal networks consistently prove that what is possible is more than probable if there is money to be made.