PlaceRaider Shows Why Android Phones Are a Major Security Risk
The latest Android vulnerability -- highlighted by U.S. Navy malware and, thankfully, not in the wild -- takes near-constant pictures to determine a phone's location. It's yes another strike against Android phones and is all the more reason to ban them in your BYOD policy, columnist Rob Enderle writes.
By Rob Enderle
PlaceRaider is malware created by the United States Navy to showcase Android vulnerabilities. (The full paper, which includes mediation advice, can be found here.) PlaceRaider activates a phone’s camera and forces it to take pictures almost constantly. The originator of the malware uses the pictures to create a 3D image of the phone’s location without the owner’s knowledge and by bypassing any physical or personal security measures.
Malware Takes Pictures, Creates Video
PlaceRaiders showcases a significant problem with smartphones cameras. The access permissions that PlaceRaider requires are no different than those of a typical “innocent enhanced camera applications,” Naval Surface Warfare Center says, so a user could voluntarily install a “safe” application from an official app store without thinking of the implications. It would be hard for the owners of infected smartphones to know what’s happening, too, as the first indication would likely be excess data charges on the monthly bill.
Now, if the phone is in a pouch, pocket or purse, the risk is low, since the camera is unlikely to capture useful images. The risk manifests when someone is using the phone and the camera can see its surroundings. With an older phone that can’t multitask, the risk of exposure is limited, since the phone should not be able to run the malware while on the call. Even for phones that can’t process data and voice calls at the same time, though, the risk is real, as the phone could cache the pictures and then batch them when it can make a data call.
While the risk with this particular app is only visual, malware that tracks audio could effectively bug every phone running Android 2.3—the version the researchers worked with—and listen to all private conversations occurring within its range. Moreover, some of these phones have made significant advancements in noise cancellation that can even make conversations in a crowded room understandable. (Charging an Android phone in the bathroom or bedroom, then, is a bad idea.
Google’s Attitude Toward Privacy Is Bad News
While it’s doubtful the U.S. Navy will release this app into the wild, it is likely that some other group may release a similar application—after all, the capability to capture a celebrity or politician accidently making news, or to get critical intelligence on a foreign government, rival political party or business competitor, brings massive power. It also suggests that any smartphone may eventually be at risk, and that the only appropriate long-term fix may very well be the ability to ensure that monitoring software can’t be used on phones in secure areas.
Is it any smartphone, though? Researchers indicate that PlaceRaider or similar malware could run on the iOS, Windows Phone and Blackberry platforms, but the highly curated nature of their related application stores makes it far less likely that such an app would “sneak through” and be available for download. That happened to the Google Play store earlier this year, when 100,000 Android devices were infected with malware after users downloaded mobile games, and that came on the heels of a report that Bouncer, the Google malware detection system, is easy to crack.
Google itself doesn’t have a great reputation, either. Given the company’s history with its mapping activities and its cavalier attitude toward privacy—both exemplified in the Google Street View spying incidents—it’s entirely possible that an app such as this could actually be passed off as a feature for indoor navigation. (Google Maps already offers indoor floorplans at airports, malls and certain retail stores.)
Android Phones Represent an Unacceptable IT Security Risk
Simply put, the Android platform is downright unacceptable in any area where privacy is a concern.
Any phones that have been jailbroken, use side-loaded applications that bypass the Google Play store, or come from vendors who have aggressively moved against personal privacy should likely be barred by your corporate bring your own device (BYOD) policy unless their security can be assured by some other process. While any other practice may appear in hindsight to be negligent, appearing negligent may be the least of your worries if it is your unfortunate comments or videos that go viral.
Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.