Security Experts:

Researchers Trigger Mobile Malware with Music, Lighting

Researchers at the University of Alabama at Birmingham (UAB) say they’ve uncovered a new set of hard-to-detect methods that could be used to trigger malware on mobile devices and lead to highly focused, targeted attacks.

According to a paper published by the UAB researchers, it is possible to use music, lighting, magnets or vibration to initiate an attack. Further, the attacks are low bandwidth, amounting to only five-bits per second.

"When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the Internet as vulnerable to malware attacks," said Ragib Hasan, Ph.D., one of the authors of the paper, in a statement.

"We devote a lot of our efforts towards securing traditional communication channels," he said. "But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that."

The researchers were able to trigger malware hidden on mobile devices from as far as 55 feet away within a crowded hallway using nothing more than music. This, the paper explains, means it is possible for malware to be programmed to be triggered by a specific audio pattern, e.g. a song.

For light-based attacks, an attacker could tap into the power supply of a building and cause rapid fluctuations in voltage, which would result in rapid flickers in the lights across the building.

"A trigger message embedded via such flickers can be read by any infected phone in the building," the paper explains. "Malware using such channels will be very difficult or impossible to detect using traditional means, because [as] such the underlying command and control channels exploit non-network air-gaps to communicate," the researchers conclude.

"Our proof-of-concept prototype exemplifies this emerging problem – using off-the-shelf hardware and popular Android-based mobile phones, we were able to send surreptitious command and control messages without using any wireless or cellular networks," according to the paper. "Our prototype malware application received the messages embedded in music, video, household lighting, or magnetic fields."

The authors said during a presentation of their work at a recent conference in China that attacks such as these are "sophisticated and difficult to build, but it will become increasingly easier to accomplish in the future as technology improves."

A copy of the paper is available online via UAB.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.