PlaceRaider quietly builds a model of your world as seen through your Android smartphone.
Tinfoil hats at the ready, ladies and gentlemen: Researchers at the United States Naval Surface Warfare Center in Crane, Indiana, in cooperation with scientists from the University of Indiana, recently set out on a mission to see what security flaws they could uncover in smartphone devices running on Android 2.3 and above. After a few months of tinkering, their investigations led them to create a piece of smartphone malware that silently takes photos using your device’s camera, uploads them to a central database, and then uses the photos to construct a 3D image of your surroundings for the purpose of stealing things from said surroundings at a later date.
The team named their sneaky malware PlaceRaider, and described details of its use by saying that “remote burglars” could use it to “download the physical space, study the environment carefully, and steal virtual objects from the environment (such as financial documents, information on computer monitors, and personally identifiable information).” In addition to visual information stolen from your camera, the malware also picks up location and orientation data from across your smartphone’s sensors that enable it to place you, quite precisely, in the world. A simple image filter designed to detect extremely dark or blurry image patterns stops the app from inundating its servers with pictures of the inside of your jacket pocket. Any noises associated with its activities – such as the little shutter noises some smartphone cameras make – are disabled. All in all, it’s a pretty impressive piece of work.
According to the researchers, PlaceRaider would gain access to your phone by basically sneaking in behind a legit-sounding download that asks your permission to access your phone’s sensor systems (think Instagram, for instance, or one of its ilk). Once inside, it would run as a background program.
In order to test the malware, the team gave 20 unsuspecting smartphone fans an infected phone each and set about testing how much personal information they could glean from the data the malware sent back. In doing so the team discovered that, A) The photos are really pretty good for stealing information and, B) The photo-generated 3D models are even better for stealing information. Neat, huh?
Oh, and before anyone with an iPhone thinks of getting on some kind of Android-is-inferior shaped horse over this, it’s worth noting that the app’s creators “expect such malware to generalize to other platforms such as iOS and Windows Phone.” We’re all in this together, friends.
While there are infinite upsides to living in a super-connected, tech-based world, exploitable security flaws of this kind (not to mention those present in desktop computers; Flame says hello) serve as sobering reminders of the potential downsides. This time, it was a benign team of scientific researchers who found the flaw and exposed it to the world, dragging it out into the light and reminding us to pay attention to what permissions an app asks for when we consider downloading it. The era of smartphone-based antivirus programs is almost here, but til then, I hear tinfoil’s set to be one of the hottest trends of winter 2012/13. That hat is so totally you.