Mobile Sensors Can Set Off Mobile Malware

Gone are the days when users had to click to get infected. Researchers now say that light and motion can trigger new mobile device malware, potentially making it easier to infect.

In the report, Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices, researchers Ragib Hasan, Nitesh Saxena, Shams Zawoad, Dustin Rinehart all from the University of Alabama at Birmingham and Tzipora Halevi of the Polytechnic Institute of NYU explored novel exploits of mobile malware using native sensors available today. To demonstrate the different types of attacks they used command and control channels triggered by acoustic, visual, magnetic and vibrational signaling. They also built an example to run on an Android device.

The authors conclude:

In this paper, we investigated the feasibility of sensing-enabled covert channels in mobile phones. Malware using such channels will be very difficult or impossible to detect using traditional means, because such the underlying command and control channels exploit non-network air-gaps to communicate. Our proof-of-concept prototype exemplifies this emerging problem – using off-the-shelf hardware and popular Android-based mobile phones, we were able to send surreptitious command and control messages without using any wireless or cellular networks. Our prototype malware application received the messages embedded in music, video, household lighting, or magnetic fields. Malware with the capability of using such sensor-based covert channels can also open up new threats such as the creation of localized botnets and geo-targeted attacks, which we explored briefly in the paper.