Music and Movies Could Trigger Mobile Malware

mask.of.sanity writes "Lights, sounds and magnetic fields can be used to activate malware on phones, new research has found. The lab-style attacks defined in a paper (PDF) used pre-defined signals hidden in songs and TV programmes as a trigger to activate embedded malware. Malware once activated would carry out programmed attacks either by itself or as part of a wider botnet of mobile devices."

Really?

[Anonymous Coward]

Wouldn't the app have to carry the malware payload?

Re:A good reason

[Anonymous Coward]

A better reason to ignore the torrent of mobile malware FUD being spewed by all the Windows AV vendors.

They're terrified because their business model involves being parasites bandaiding a virus ridden OS that's now failing in the market. Like fleas without a dog, hey're desperate to find a new host, but since modern mobile OSs aren't as colander-like as Windows, they're being forced further and further into snake-oil realms.

This story deserves nothing but ridicule.

Lame

[Alsee]

Lame article.

If you're already infected by malware, that malware can sit there and wait to do stuff any time it wants. Not exactly a big surprise.

-

Re:Lame

[Karmashock]

Bingo. I'd mod you up if I had the points.

Forget malware, what they're saying is that "software" can respond to input to trigger subroutines.

Which is shocking... I'm shocked... aren't you? We're both shocked... it's shocking.

So yeah... stupid article.

Breaking news!! (Or just another PR puff piece).

[gweilo8888]

This just in -- any input on your compromised device can potentially be used as a trigger for malware to launch its preprogrammed attack. News at 11!

Seriously, what kind of nonsense is this? They *could* also use your GPS / network location to activate only in a specific location, or the compass to activate only when the phone faces Mecca, or the tilt sensor and camera together to activate only when you're trying to shoot a level picture, or ... well, anything, really.

It makes not one jot of difference what they use as a trigger once your phone is compromised. The point is, it's already been compromised, and it's effectively wide-open to anything the hardware is physically capable of. How it was compromised in the first place is what's important, not meaningless conjecture on how the exploit's eventual activation can be timed in the least efficient way possible. (All this nonsensical idea would do is drain your battery in no time by holding the mic and processor active all the time, thereby ensuring the phone runs out of battery before the exploit activates.)

I mourn for the days when Slashdot posted intelligent tech articles, instead of a stream of PR puff pieces designed to spread FUD and generate clicks. There is not one useful or non-obvious piece of info in this "research".

Re:Lame

[multiben]

Yes. This ^^^
This is just fear mongering. If you've already put malware on your phone then you're boned - there are countless ways it may "activate" itself - whatever that means. Just more crap from anti virus software companies whose products are worse than the malware they're meant to prevent.

Re:Lame

[gl4ss]

and if you have malware doing constant audio/light analyzing then at least you don't need to worry about it malwareing about too long.

because you'll run out of battery pretty fast.

Re:Lame

[niftydude]

If you're already infected by malware, that malware can sit there and wait to do stuff any time it wants. Not exactly a big surprise.

-

Yes, the word "research" seems to be used rather loosely in that article.

Any input into a smartphone can be used to launch any app listening for it. This could be gps coords, barometric pressure, direction from the built in compass...

Well it is University of Alabama, perhaps we should be just grateful that they are studying something other than intelligent design [wikipedia.org].

Re:A good reason

[some old guy]

You, me, and a few thousand professionals and "power users" got your message years ago. What was true in 1995 remains true. System integrity is the owner's responsibility.

One thing that hasn't been fixed is the millions of teenage girls, grandmothers, and neckbeards clicking on every widget that pops on a screen, and falling for every "fix your PC" gimmick they see.

It all boils down to, "You can't fix stupid."

Re:A good reason

[Anonymous Coward]

Anti-malware -- so you don't have to take care of yourself.

Anti-malware -- BECAUSE SOMETIMES SHIT HAPPENS.

FTFY

So what?

[DarkOx]

The article makes this sound like its some new threat. Nobody has figured a way to infect your phone with malware by playing music or sowing a film, just trigger malware to do something whe. The phones sensors detect theses things. You have to have already been compromised via some more conventional vector.

So the question is why would anyone go to the trouble? I guess it could replace a command and control channel, I want my dodos to start at 8pm so have everyone's phone listen for the television themes for "the orrifice" or "CSI Newark", great but that is hardly a threat to mobile users more of an issue for carriers and ddos targets, who no longer have an irc channel to shut down or Dns entry to have the FBI yank but still not of great concern

What's the point if the phone's got malware anyway

[AC-x]

What is this, malware written by Dr. Evil? What's the benefit of all these overly-elaborate and exotic malware triggers when you already have malware installed that has taken over the phone? Why not just trigger it on a timer to poll a command and control server? If you want to target specific buildings you can just base it on GPS location or known wifi points etc.

Re:A good reason

[Jesus_666]

And even if we somehow made the desktop and mobile OSes completely safe without simultaneously making them useless - there's still the fortress of unassailability called SCADA and other embedded OSes that most likely aren't going to be as perfect. Unless we move to a world where every computing devise and software is EAL7 certified and every spec is guaranteed not to contain any flaws or weaknesses of any kind we'll have malware researchers because malware is lucrative enough to always be there.

And since right now we live in a world where ridiculous flaws actually make it to production, the manufacturers are often too incompetent to release a fix and perfectly normal ad networks unwittingly distributing malware (and perfectly normal websites having vulnerable backends) is not unheard of, we can't assume that restricting your browsing behavior to legit-looking sites is going to keep your system safe.

It's up to each of us to decide whether we need AV on our devices but just assuming that a device is secure just because it doesn't run on the NT kernel is delusional. For crying out loud, everyone who has an Exynos 4-based smartphone has the contents of their RAM world-readable and world-writable!