Researchers at the University of Alabama at Birmingham (UAB) say they’ve uncovered a new set of hard-to-detect methods that could be used to trigger malware on mobile devices and lead to highly focused, targeted attacks.
According to a paper published by the UAB researchers, it is possible to use music, lighting, magnets or vibration to initiate an attack. Further, the attacks are low bandwidth, amounting to only five-bits per second.
“When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the Internet as vulnerable to malware attacks,” said Ragib Hasan, Ph.D., one of the authors of the paper, in a statement.
“We devote a lot of our efforts towards securing traditional communication channels,” he said. “But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that.”
The researchers were able to trigger malware hidden on mobile devices from as far as 55 feet away within a crowded hallway using nothing more than music. This, the paper explains, means it is possible for malware to be programmed to be triggered by a specific audio pattern, e.g. a song.
For light-based attacks, an attacker could tap into the power supply of a building and cause rapid fluctuations in voltage, which would result in rapid flickers in the lights across the building.
“A trigger message embedded via such flickers can be read by any infected phone in the building,” the paper explains. “Malware using such channels will be very difficult or impossible to detect using traditional means, because [as] such the underlying command and control channels exploit non-network air-gaps to communicate,” the researchers conclude.
“Our proof-of-concept prototype exemplifies this emerging problem – using off-the-shelf hardware and popular Android-based mobile phones, we were able to send surreptitious command and control messages without using any wireless or cellular networks,” according to the paper. “Our prototype malware application received the messages embedded in music, video, household lighting, or magnetic fields.”
The authors said during a presentation of their work at a recent conference in China that attacks such as these are “sophisticated and difficult to build, but it will become increasingly easier to accomplish in the future as technology improves.”
A copy of the paper is available online via UAB.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
