Don’t fear the Android security bogeyman

Academic security researchers have created an ingenious piece of malware that runs on Android cell phones and steals credit card details.

As is typical, many are heralding it as a sign of a smartphone security apocalypse, but they need to calm down. Cybercriminals simply aren’t that smart, and there’s nothing new to be worried about.

The so-called Soundminer malware listens in on phone conversations and uses speech recognition to decode credit card and PIN details that users might mention when calling their bank, as an example. DTMF tones heard when keys are pressed are also recognized and decoded.

The data is then passed to another piece of malware, called Deliverer, which sends it off to the hacker’s HQ via the Internet.

The clever part is how the two pieces of malware bypass Android’s built-in security.

Individual permission is required from the user for each newly-installed app that wants to access a specific hardware component.

A program that wanted permission to access the microphone and also send data would be a little suspicious, so Soundminer only requests to use the microphone. The Deliverer malware only requests to send data.

Data exchange between the two programs would also be viewed as suspicious, so they use system communication channels built into Android that are designed to share system settings information. These only allow a handful of bytes to be transferred, but that’s enough for a credit card number.

Soundminer could be hidden in simple app that, for example, required microphone access permissions in order to make an on-screen balloon blow-up based on how much the user shouted. Deliverer could easily be integrated into a simple game that requests data transmission permission in order to report high scores, for example.

In all, Soundminer is a well thought-out and ingenious piece of programming.

And that’s why we’ll never, ever see anything like it in the real world.

Criminals always prefer a quick and dirty approach. It’s one of their defining characteristics

There are two ways to rob a bank. You could get a job there and embezzle money secretly. Or you can run in, wave guns, and run out as quickly as possible with bags of money.

Guess which is more popular?

Sophistication, subtlety, and mastermind intelligence is limited to the movie criminals. The most successful criminals in the real world are those who keep things simple, and cybercrime is no different.

I’m not suggesting we underestimate cybercriminals but the chances of them creating something as clever as Soundminer are extremely limited. It took a team of university researchers to come up with Soundminer, working at the City University of Hong Kong and Indiana University.

Ultimately, why would cybercriminals want to bother with something as elaborate as Soundminer, when they can just send phony e-mails that catch-out gullible users and rake in the money?

Good malware doesn’t need to be clever or well made. It just needs some way of fooling people into handing over useful personal details, which history has proved is actually pretty easy. It also needs some way of travelling around from device to device and, crucially, there’s nothing new in the Soundminer research to indicate how this might be done.

Soundminer highlighted some design flaws within Android, that hopefully will get addressed quickly, but there’s really nothing else to cause concern.

Security companies are hailing 2011 as the year smartphone malware goes mainstream but we should guard against such pronouncements. The more scared we are, the more likely we are to buy malware protection products. We can’t trust the word of people who are trying to sell us something.

Security companies like to quote large numbers of antivirus definitions but we should bear in mind that many of these are likely to be impotent threats. Some are useless because they’re so badly made that they just don’t work, while others might have been a risk at one time but no longer apply because of firmware upgrades. Most won’t even affect your make or model of phone.

For example, desktop antivirus products typically claim to protect us from millions of viruses, but many of them haven’t affected computers since the 1980s. Yet malware companies still like to count them in order to present a satisfyingly worrying picture.

Computer security is a massive industry, and it’s in the interests of several people and organizations to make us feel afraid. The people who are likely to make most money out of malware in the long term are security companies. While we shouldn’t ignore cell phone security scare stories, we should certainly read them with a cynical eye.

Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas.