PlaceRaider Shows Why Android Phones Are a Major Security Risk
The latest Android vulnerability -- highlighted by U.S. Navy malware and, thankfully, not in the wild -- takes near-constant pictures to determine a phone's location. It's yes another strike against Android phones and is all the more reason to ban them in your BYOD policy, columnist Rob Enderle writes.
Fri, October 12, 2012
CIO — PlaceRaider is malware created by the United States Navy to showcase Android vulnerabilities. (The full paper, which includes mediation advice, can be found here.) PlaceRaider activates a phone's camera and forces it to take pictures almost constantly. The originator of the malware uses the pictures to create a 3D image of the phone's location without the owner's knowledge and by bypassing any physical or personal security measures.
Malware Takes Pictures, Creates Video
PlaceRaiders showcases a significant problem with smartphones cameras. The access permissions that PlaceRaider requires are no different than those of a typical "innocent enhanced camera applications," Naval Surface Warfare Center says, so a user could voluntarily install a "safe" application from an official app store without thinking of the implications. It would be hard for the owners of infected smartphones to know what's happening, too, as the first indication would likely be excess data charges on the monthly bill.
Now, if the phone is in a pouch, pocket or purse, the risk is low, since the camera is unlikely to capture useful images. The risk manifests when someone is using the phone and the camera can see its surroundings. With an older phone that can't multitask, the risk of exposure is limited, since the phone should not be able to run the malware while on the call. Even for phones that can't process data and voice calls at the same time, though, the risk is real, as the phone could cache the pictures and then batch them when it can make a data call.
While the risk with this particular app is only visual, malware that tracks audio could effectively bug every phone running Android 2.3—the version the researchers worked with—and listen to all private conversations occurring within its range. Moreover, some of these phones have made significant advancements in noise cancellation that can even make conversations in a crowded room understandable. (Charging an Android phone in the bathroom or bedroom, then, is a bad idea.
Google's Attitude Toward Privacy Is Bad News
While it's doubtful the U.S. Navy will release this app into the wild, it is likely that some other group may release a similar application—after all, the capability to capture a celebrity or politician accidently making news, or to get critical intelligence on a foreign government, rival political party or business competitor, brings massive power. It also suggests that any smartphone may eventually be at risk, and that the only appropriate long-term fix may very well be the ability to ensure that monitoring software can't be used on phones in secure areas.