Android Focused Malware Could Extract Information From Calls

This post is also available in: עברית (Hebrew)

Many users who want more from their smartphones are glad to use a plethora of advanced features, mainly for health and entertainment. Turns out that these features create a security risk when making or receiving calls.

Researchers from Texas A&M University and four other institutions created malware called EarSpy, which uses machine learning algorithms to filter caller information from ear speaker vibration data recorded by an Android smartphone’s own motion sensors, without overcoming any safeguards or needing user permissions.

Ahmed Tanvir Mahdad, a doctoral student in the Department of Computer Science and Engineering at Texas A&M explains: “A standard attack on a cell phone taps the microphone and records the voices. We are recording motion sensor data, which is not directly related to speech, and detecting caller information from that in a side-channel attack.”

According to Techxplore, the ear speakers at the top of smartphones are traditionally small and produce low sound pressures during conversations, the vibrations of which improve clarity when the phone is pressed against the user’s ear. Nowadays, some smartphone manufacturers are replacing small speakers with bigger ones to create the stereo sounds needed for videos and streaming. Since smartphones are equipped with motion sensors to record vibration data tracking user exercises and locations, ear speaker vibrations can now also be recorded and potentially compromised.

For the experiment, the researchers chose two recent Android smartphones that were similar in design and had powerful ear speakers, then played recorded voices through the ear speakers at a volume comfortable for a user’s hearing, and used EarSpy to analyze the phones’ accelerometers’ data.

They found that EarSpy could identify if the speaker was a repeat caller with 91.6% accuracy and determine the speaker’s gender with 98.6% accuracy. EarSpy could also recognize spoken digits with 56% accuracy, five times higher than a random guess.

This means a user with this malware on their device could speak to a bank representative for example, and when asked to provide identification or credit card numbers the attacker could access the phone’s accelerometer data and pull it through an internet connection for processing, and extract the information.

The research focused on Android smartphones because motion sensor data can be retrieved from them without any explicit permission from the user.