New IU malware records data from cell phones

IU School of Informatics professors and students have created a smartphone virus that records and steals credit card and bank account information.

But it’s just for practice.

Soundminer is a Trojan Horse malware that records conversations and the sounds of a keypad on a Smartphone without the user knowing.

It has the ability to steal the information as long as the application has access to the internet and has the potential to be used by credit card thieves.

However, the students and professors said their goal is better security for smartphones, specifically smartphones running the Google Android operating
system.

“We’re in the business of building secure systems,” said Apu Kapadia, assistant professor of computer science and informatics. “We want to live in a more secure world, but part of that job is also trying to be one step ahead of the bad people.”

Graduate students Xiaoyong Zhou and Kehuan Zhang, former graduate student Mehool Intwala and visiting doctoral candidate from City University in Hong Kong Roman Schlegel were assisted by Kapadia and associate professor XiaoFeng Wang in the development of Soundminer.

Schlegel said the team was able to stay one step ahead of the people Kapadia calls “Malware Masters” by noticing trends in Smartphone usage and researching potential threats.

“Android has increased enormously in the last year or so in market share,” Schlegel said. “If you can show that there’s some security flaws in Android and those can be fixed, that will actually benefit a large number of people.”

Schlegel said the research has received much more publicity than they expected.
It has led to the team being contacted by security systems companies as well as some “Malware Masters” wanting the code for Soundminer.

Scott Wilson, awareness, training and outreach coordinator for the University Information Policy Offices, said the problems created by Soundminer are unfortunate, but should be expected due to the nature of smartphones.

“At some point, we crossed the line between phones that had features and computers that had phones,” Wilson said. “(A smart phone) is a computer that has a phone. The same set of rules that apply to computers now apply to phones.”

Wilson also said that because smart phones are essentially small computers, protecting yourself from malware is all about user awareness.

“User awareness is huge,” Wilson said. “You have to know what you’re downloading. You have to know what your apps are using.”