Music and Movies Could Trigger Mobile Malware

mask.of.sanity writes "Lights, sounds and magnetic fields can be used to activate malware on phones, new research has found. The lab-style attacks defined in a paper (PDF) used pre-defined signals hidden in songs and TV programmes as a trigger to activate embedded malware. Malware once activated would carry out programmed attacks either by itself or as part of a wider botnet of mobile devices."

A good reason

[Vombatus]

to turn your phones off whilst watching a movie!

Re:A good reason

[Anonymous Coward]

A better reason to ignore the torrent of mobile malware FUD being spewed by all the Windows AV vendors.

They're terrified because their business model involves being parasites bandaiding a virus ridden OS that's now failing in the market. Like fleas without a dog, hey're desperate to find a new host, but since modern mobile OSs aren't as colander-like as Windows, they're being forced further and further into snake-oil realms.

This story deserves nothing but ridicule.

Re:A good reason

[Cryacin]

Oh boy. I can't wait until someone puts this malware into some stupid lolcatz app, and primes it to be activated when a one direction song is played. That's going to be one direction. ONE DIRECTION TO HELL!!!

Re:A good reason

[erroneus]

When it comes to computer systems, there are two camps -- freedom and not-freedom. The not-freedom camp, just as here in the good old USA, believes that we must remove freedom to remain safe. The freedom camp says life without freedom is slavery.

Both sides suffer from some common problems. Among these is that people are curious and want things. The more they want things, the more stupid they become when they want to have it. A lock on a door doesn't stop a criminal and doesn't stop a curious person. And in either camp, there are curious, stupid people who are willing to put aside good sense and caution to get what they want. It happens in every walk of life and in every environment.

Regardless of which camp you live, in the end, caution, care and restraint does the most to keep one's self safe but one always has to acknowledge there is no 100% safe if something is to be useful. Anything useful can be dangerous or safe depending on how it's used. (INB4 some jackass creates a list of 'safe things that cannot possibly be dangerous.')

I'm not denying that the AV people are intentionally stirring up fears in order to further their business models. Of that I have no doubt. And I think it is unquestionably true that more modern OS implementations are written with security in mind unlike Windows. Neither of these facts mean as much as knowledge and good practice. And isn't that what AV software is supposed to be a substitute for?

"Anti-virus software -- it's so you don't have to learn to take care of yourself!"

I run without AV 24/7 on all of my devices and some occasionally run Windows!! Shocked?! Well, I'm smart enough to run something other than MSIE and I don't run Javascript on every page from every source, I block ads and I don't run software (especially on Windows) that I don't know about. ALSO, I mitigate the possible damage which could be done in the event of compromise.

Why do people constantly tell you how important education is while at the same time avoid knowledge and wisdom at every possible opportunity? I get it -- for an advanced culture, we have to specialize. That's great. I don't make my own automobiles. But I do know how they work and have been known to fix them from time to time, just as I do computers of all sorts (laptops, desktops, servers, tablets, phones, video players, gaming consoles).

Nothing I say here or anywhere will convince people that their thinking is wrong though -- being wrong is not something easy for most people to admit -- it's their identity being called into question after all. So am I wasting my time here with this comment? I don't know... once in a while someone will read something I write and think about it.

Anti-malware -- so you don't have to take care of yourself.

I don't think I can distill that notion any further.

Re:A good reason

[some old guy]

You, me, and a few thousand professionals and "power users" got your message years ago. What was true in 1995 remains true. System integrity is the owner's responsibility.

One thing that hasn't been fixed is the millions of teenage girls, grandmothers, and neckbeards clicking on every widget that pops on a screen, and falling for every "fix your PC" gimmick they see.

It all boils down to, "You can't fix stupid."

Re:A good reason

[Anonymous Coward]

It all boils down to, "You can't fix stupid."

No, but you can fix ignorant. Don't confuse the two. The AV people have a vested interest in keeping the ordinary user ignorant since they first started.

Re:A good reason

[Anonymous Coward]

Neckbeards made your computer and the systems and programs you run on it you insensitive clod!

Re:A good reason

[Anonymous Coward]

The funny thing is, you don't really need to know more. The skill to avoid being scammed in real life can easily be applied to computers.

Re:A good reason

[TrollstonButterbeans]

"Anti-virus software -- it's so you don't have to learn to take care of yourself!"

I run without AV 24/7 on all of my devices and some occasionally run Windows!! Shocked?! Well, I'm smart enough to run something other than MSIE and I don't run Javascript on every page from every source, I block ads and I don't run software (especially on Windows) that I don't know about. ALSO, I mitigate the possible damage which could be done in the event of compromise.

Neat. So you've made a life-style and time consuming hobby out of running Windows without anti-virus. And it sounds like it is working for you. Today. Maybe your strategy works tomorrow too. Or maybe it doesn't because of something you didn't expect.

Let's say your method works 100%. How does this benefit grandma? Or a 9-old-year who likes to play Minecraft?

If your "lifestyle" or "hobby" can't be done by stupid people, you can't by defintiion be a "leader" because those people can't follow.

No I'm not defending anti-virus, I'm insulting Windows and how you are essentially making excuses for insecurities. They don't get solved by ignoring them, you know.

Re:A good reason

[erroneus]

Don't you love your grandma? The woman who is partially responsible for your existence? Why are grandparents always painted as if they are stupid? (while the rest of everyone else is painted as if they aren't?) Got some news for you sonny. People who were smart when they were younger don't lose all that much when they get older -- unless outside forces take some toll along the way. And a 9 year old? Really? The things I did when I was 9? The things my sons did when they were 9? Geez. Let's stop thinking it's all about age.

I limit my use of Windows. I don't spend my life looking after it. For example, if a thing doesn't require Windows, I will not use Windows at all. Most often, when it does, I virtualize it where possible. It's hardly a lifestyle or hobby. I just don't like to walk on rickety bridges.

Re:A good reason

[Anonymous Coward]

Funny. When I want to use something that "just works", I use Windows. All the applications and games that I expect are in that ecosystem.
If I want to be in a pay-walled garden, I use OS X. Gave up that a couple of years ago after trying it for a couple of years.
If I want to tinker with the notion of "desktop" and "window manager", I install Linux. Done that since Red Hat in 1998 or so. Linux Mint left me impressed, but, nothing I expect is available.
Now and then, I try Open^H^H^H^HLibre Office. Simple things just don't work as expected, such as referencing columns and simple spreadsheets give alot of pauses for being so small. I fantastize about using Base for my needs, but it just doesn't work without nasty surprises, just as all Linux distros.
I'm happy for Microsoft's screwups, but frankly, they deliver the best software deal when they get it right.
Hopefully, free software and open source will "get" usability and user expectations some day. I know it costs money / time, but I'm still hopeful.

Kudos for minimizing Windows usage. I'm not there when I just want to get things done, not tinkering and failing to make it work without heavy customizations, which break within the next couple of upgrades.

Re:A good reason

[erroneus]

I'm sorry... but "pay-walled"? I think I know what you're meaning to say, but pay-wall...? I think it doesn't mean what you think it means.

As far as "just works" goes, I understand what you mean, but Ubuntu "just works" often as well. So it has come down to this for my son: (Not an IT guy of any sort or by any means)

For anything chat/Internet, he uses his Ubuntu netbook. For games or anything else (non-internet) he uses his Windows machine. You somehow catch almost 0 malware when not using your machine over the internet. Games (over the internet) is still being done, but real/casual internet usage is limited to the tasks needed and only those tasks needed. Since he started operating that way, I haven't needed to reload any of his machines for well over a year now.

The point here is to use Windows only in the areas needed and only where it can be trusted. As soon as certain games become the point of vulnerability and malware infection, that will have to change... at which point I'm thinking the use of removable HDDs will be in order.

Re:A good reason

[Anonymous Coward]

When did Microsoft shills stop logging in? "Simple things just don't work as expected." Odd, that's exactly how I feel when I'm in Windows, that god damned ribbon I'm forced to use at work is a fucking nightmare. On the Windows side of my notebook at home, I curse the thing constantly, asking "why in the hell does it take ten clicks to do what I can do with two in Linux?" I finally learned to never boot the Windows side unless MS forces me to on patch tuesday because I have to reopen all my apps, documents, and tabs.

I've used word for documents at work for ten years, ever since they switched from Corel, and used Open Office to work on my book in at home. I've only used Oo for five years and am completely comfortable with it, but I'm not with Word because they completely change the damned inteface, usually for the worse, with every "upgrade" and that's usually the only change I see. Upgrading Linux adds features and speeds things up and seldom changes any UI and never unnecessarily.

Open source just works, almost always. Windows seldom does. I don't have to boot it when patches come through, but I shut he computer off every night -- when I get up, I hit the on switch, pour a cup, and the computer is just like it was when I shut it off. I've only had one Linux upgrade break anything, and the thing that broke was Flash. Going back to the previous version fixed it, with no data loss or reformatting necessary.

Lets see you do that with Windows. Windows is the one that needs tinkering. I do have Windows on one machine at home to run EAC (Audacity won't do) and on Patch Tuesday that machine is out of service, completely unusable for half an hour when it's done with all its screens and reboots. A Linux patch is a single click and keep on working.

Hopefully, free software and open source will "get" usability and user expectations some day.

Bullshit, Windows is barely useable at all. I had an earlier notebook with a "tap to click" feature I hated, It took two months to find the arcane steps to shut that annoying "feature" off. Not anywhere in the control panel where anyone sane would expect it, it was in a hidden icon on the task bar twelve screens down. In kubunti it was under its CPalike facility, under Mouse Functions, exactly where you would expect it to be. Two clicks and it was done (in Windows it had also taken a reboot).

I already mentioned that abysmal damned Office Ribbon. That nasty surprise was certainly not expected.

And look at Windows 8 -- and you say it's useable? having to know un unmarked, undocumented spot on the screen to make something happen is about as far from useable as you can get. How about that Office file menu, just an unmarked colord blob without so much as mouseover text? And the "edit" menu we've grown used to for twenty years is now illogically and frustratingly marked "home" Home? How the fuck is a user to know that "home" is where the edit functions are found?

I have to give you credit, that was a nice shill. The "I'm happy for Microsoft's screwups" was a nice touch, you're pretty good at shilling, dude. I hope you're well paid for your evil.

-mcgrew (eating lunch at my desk today)

Re:A good reason

[Patch86]

Don't you love your grandma? The woman who is partially responsible for your existence? Why are grandparents always painted as if they are stupid? (while the rest of everyone else is painted as if they aren't?)

I love both my grandmas, and neither of them are stupid. But neither of them would know which way up a computer is supposed to go, let alone how to protect one from malware. Neither of them have ever owned a computer, so they know as much about them as I do about sailing a boat (which is to say- nothing).

My grandparents-in-law DO own a computer- I built them their first ever computer last year, at their request (Ubuntu, since you ask). Again, bright and clever people both of them, and they've taught themselves how to use it; but they're still at the "I click on the picture of a fox and type in Yahoo email in order to see what my daughter has sent me" stage of computer use; pretty much all they know about viruses is that they're bad and that if anything happens on their computer which seems out of the ordinary they should call me and ask for advice.

Re:A good reason

[TrollstonButterbeans]

All I am saying is that the number of contortions you are doing --- I do most of those btw --- are because the environment is very vulnerable. You are aware of the vulnerabilities. They can change tomorrow and likely you personally will know because you keep up on that. But that kind of overhead --- i.e. the "paying attention to all of that" is not something that most people are going to be doing. I have the theory the popularity of tablets is mostly because parents can give one to a child and not worry bout malware (iPad for sure, at least. Maybe the Kindle ones too.) It isn't that the parents are consciously aware of this either (maybe some are), but a laptop a kid will likely unknowingly install malware and odds run close to 100% for continuous use over the span of a few months -- at least a Windows laptop --- because Windows is a particularly vulnerable minefield.

Re:A good reason

[Anonymous Coward]

Let's say your method works 100%. How does this benefit grandma? Or a 9-old-year who likes to play Minecraft?

This knowledge allows me to manage grandma's computer and educate my children.

Computing and internet for the masses is in it's infancy and It's getting better (icals and sandboxing are good steps forward) but it will take time. Applying family values by educating your children and caring for the elderly is our responsibility. Gaining this knowledge isn't so much a hobby but a survival need/duty. You owe it to yourself and your family to educate yourself. Relying on AV companies to educate us is like relying on advertisers or Hollywood for truth. Accepting crap like iOS and Android is like trading liberty for security.

Re:A good reason

[Anonymous Coward]

Anti-malware -- so you don't have to take care of yourself.

Anti-malware -- BECAUSE SOMETIMES SHIT HAPPENS.

FTFY

Re:A good reason

[kermidge]

Precisely.

But there's one very real problem with this. Most computer users are simply that - end users of a device which they use for work and recreation that was sold as an appliance when the 'pc' got beyond the hobbyist phase. Expecting these people to know and do what a small group of sophisticated cognescenti do is ridiculous, and I think you can recognize that.

Thus the flood of infected machines, bots, and vendors of free and paid anti- this and that and the high fees charged to 'fix' things. (Not that all the fix fees are unfair; I've spent enough time in several computer shops fixing users woes to know that.)

The responsibility to present to the un-sophisticated end user a working and safe-to-use device is the sole province of the seller. (If the device is sold as an appliance then it must function with the simplicity and safety of an appliance.)

A _simple_ small set of warnings, safe practices, what have you, is OK after that. "Use a grounded plug." "Finish saving a document before turning the machine off." are fair. "Don't use this browser." or "Turn off javascript." are not.

Re:A good reason

[oldlurker]

A better reason to ignore the torrent of mobile malware FUD being spewed by all the Windows AV vendors.

They're terrified because their business model involves being parasites bandaiding a virus ridden OS that's now failing in the market. Like fleas without a dog, hey're desperate to find a new host, but since modern mobile OSs aren't as colander-like as Windows, they're being forced further and further into snake-oil realms.

This story deserves nothing but ridicule.

I'm an Android user myself, but I think we need to be careful with this sentiment. For Mac users this kind of sentiment led to OS-X Flashback being the biggest malware epidemic in modern times in terms of percentage of user base infected. Beating Windows Conficker for this honor. [pcworld.com] Yes, the number of Windows users are obviously larger, but in terms of infection risk and infectability of a platform, percentage of user base is the right measure.

Later versions of Flashback even did completely silent drive-by infection on OS-X, no user interaction or admin password needed, just visiting a web site was enough, something many Mac users still seem to think only happen on Windows. Even Apple has admitted that Unix-based OS-X need dedicated malware detection and cleaner tools.

There is a very sophisticated multi-billion dollar malware industry out there. Android is not immune to this threat. And its volume is making it an increasingly likely target. Especially since the far majority of the Android user base is on old vulnerable versions, with added vulnerabilities from handset makers and operators, long after Google has patched vulnerabilities and improved security.

Re:A good reason

[Jesus_666]

And even if we somehow made the desktop and mobile OSes completely safe without simultaneously making them useless - there's still the fortress of unassailability called SCADA and other embedded OSes that most likely aren't going to be as perfect. Unless we move to a world where every computing devise and software is EAL7 certified and every spec is guaranteed not to contain any flaws or weaknesses of any kind we'll have malware researchers because malware is lucrative enough to always be there.

And since right now we live in a world where ridiculous flaws actually make it to production, the manufacturers are often too incompetent to release a fix and perfectly normal ad networks unwittingly distributing malware (and perfectly normal websites having vulnerable backends) is not unheard of, we can't assume that restricting your browsing behavior to legit-looking sites is going to keep your system safe.

It's up to each of us to decide whether we need AV on our devices but just assuming that a device is secure just because it doesn't run on the NT kernel is delusional. For crying out loud, everyone who has an Exynos 4-based smartphone has the contents of their RAM world-readable and world-writable!

Re:A good reason

[girlinatrainingbra]

"Fortress of unassailability called SCADA and other embedded OSes"?? You're being sarcastic [wikipedia.org], right? I think you know that you are.

But "we'll have malware researchers because malware is lucrative enough to always be there" does not catch all of the reasons. What about Stuxnet [wikipedia.org] ???
Stuxnet was made to be the governmental motive (of Israel and the USA) state-sponsored disruption of SCADA hardware with one particular type of facility in mind: centrifuges in the service of uranium enrichment. So profitability and money-making was not the motive there. The motive appears to have been state-sponsored disruption of another state's actions, and also appeared to be the first rootkit pointed against PLCs (http://en.wikipedia.org/wiki/Programmable_logic_controller [slashdot.org]>programmable logic controller).

http://en.wikipedia.org/wiki/SCADA#Security_issues [wikipedia.org]

Re:A good reason

[Jesus_666]

You are right. I shouldn't have lumped profitability and political aims together.

Re:A good reason

[0ld_d0g]

Although not necessarily an anti-virus but I'd like it there was anti-malware for OSX. I had to clean my dads macbook the other day and some nasty shit was lodged deep into the operating systems anus. Apparently my dad had googled for "youtube download" and installed some scammy software because he wanted to download some golf shit from youtube. And now theres dozens of places where these fuckers hide now.. Just to list a few.. /Library/LaunchAgents /Library/LaunchDaemons /Library/StartupItems /Library/Extensions /System/Library/LaunchAgents /System/Library/LaunchDaemons /System/Library/Extensions /System/Library/StartupItems ~/Library/Internet Plug-Ins

Re:A good reason

[Patch86]

There are many anti-virus programmes for Mac, including most of the same big names as for Windows. A quick Google search led me to this site with reviews and whatnot:
http://www.antivirusformac.org/ [antivirusformac.org]

They're out there for Linux too (not least the ever trusty ClamAV). If you don't have AV on your Mac or Linux box, it's because you don't think you need it, not because it isn't available.

Re:A good reason

[TrollstonButterbeans]

[$INSERT RANT]

Who are the group-think emos that modded this worthless and unsubstantiated rant up?

Challenge to one the diptards that modded this up: exactly how is that post insightful? Does it provide evidence, a link, cite information, provide something new no one has ever heard before? If not, what is your justification for rating a run-of-the-mill rant insightful?

Re:A good reason

[Requiem18th]

Not that I like defending Microsoft and AV vendors but the virus infested envorinment isn't their fault. Net worms and OS exploits do exist, but are a minority compared to trojans malware that people install because they wanted to do something else. Warez oviously plays a role but you can get root kits from "legitime" vendors like Sony. Nothing is safe.

The only solution is fine grained control and there isn't such thing in the market. Android is the most secure design I can think of and it's still not enough for me but it's close. Basically there isn't an OS that treats local apps the way Computers treat other nodes in the network. As completely untrustable. Until we have that we will have AV software.

Unless the Walled Garden masters win and user software dies. Then AV will stop being widespread. Malware will still exist of course but AV won't be much good then.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:A good reason

[Anonymous Coward]

What are you babbling about? Linux has required anti-viruses for decades now. Its just that they're called something else. But they're essentially the same. AV is essentially just a gatekeeper that decides whether executing/installing certain code is good/bad _THATS IT_. Guess what... they're called repository maintainers in the Linux world. Without it.. I dare you to download and execute random Linux binaries from the internet. Thats what AVs do on Windows.

And the only thing I could think off...

[Fluffeh]

Was a dingy rustic bar with Malcolm sitting talking to two twins and an ad appearing on TV for Fruity Oaty Bar...

Miranda...

Re:And the only thing I could think off...

[Anonymous Coward]

Leading to the inevitable thoughts of Kaylee, some batteries, and her nethers....

Re:And the only thing I could think off...

[ColdWetDog]

Except in fantasy land it wasn't mandatory. Here in reality ....

Miranda

[Anonymous Coward]

Fruity oaty bar
Make a man out of a mouse
Fruity oaty bar
Make you bust out of your blouse
Eat them all the time
They will blow your mind
Wo hen jiaonian diu lian - wo meiyou chi Fruity Oaty Bar!
Fruity oaty bars
Fruity oaty bars

Better Use

[SuperKendall]

Perhaps the phone could issue an alert if the movie you sat down to watch had a Rotten Tomatoes score below 30%...

Really?

[Anonymous Coward]

Wouldn't the app have to carry the malware payload?

Battlestar Galactica

[weinbrenner]

Isn't that the way the Cylons deactivated the Colonial ships in the BSG miniseries? Already installed malware activated when the sensors picked up a certain signal from the Cylons?

Lame

[Alsee]

Lame article.

If you're already infected by malware, that malware can sit there and wait to do stuff any time it wants. Not exactly a big surprise.

-

Re:Lame

[Karmashock]

Bingo. I'd mod you up if I had the points.

Forget malware, what they're saying is that "software" can respond to input to trigger subroutines.

Which is shocking... I'm shocked... aren't you? We're both shocked... it's shocking.

So yeah... stupid article.

Re:Lame

[ColdWetDog]

Add a couple of nine volt batteries, a wire and yes, I'm shocked as well.

Re:Lame

[kasperd]

Add a couple of nine volt batteries, a wire and yes, I'm shocked as well.

How about 244 [youtube.com] of them?

Re:Lame

[multiben]

Yes. This ^^^
This is just fear mongering. If you've already put malware on your phone then you're boned - there are countless ways it may "activate" itself - whatever that means. Just more crap from anti virus software companies whose products are worse than the malware they're meant to prevent.

Re:Lame

[gl4ss]

and if you have malware doing constant audio/light analyzing then at least you don't need to worry about it malwareing about too long.

because you'll run out of battery pretty fast.

Re:Lame

[niftydude]

If you're already infected by malware, that malware can sit there and wait to do stuff any time it wants. Not exactly a big surprise.

-

Yes, the word "research" seems to be used rather loosely in that article.

Any input into a smartphone can be used to launch any app listening for it. This could be gps coords, barometric pressure, direction from the built in compass...

Well it is University of Alabama, perhaps we should be just grateful that they are studying something other than intelligent design [wikipedia.org].

Re:Lame

[gTsiros]

You would do well to read the article just a bit more carefully

It can use the sensors to launch coordinated attacks. Not just deploy when it hears a certain sound.

Re:Lame

[L4t3r4lu5]

Came here to post this.

Over to a competitor for some actual news.

Re:Lame

[Anonymous Coward]

It IS slightly interesting in that most malware is detected by it's effects. If your malware spreads slowly and has no obvious effect until activated, there;s a good chance nobody will notice it. If you rely on a timer to activate your malware (or checking a C&C IRC channel or the like), it could still be picked up by someone running a honeypot VM. But if your malware only activates in, say, a 2Hz magnetic field, then that's not something that's normally tested for.

Outside rampant paranoia about national gubernmints installing covert kill-switches, installing a silent app you can non-obviously activate at will without a network connection would make for some great pranks.

Re:Lame

[Sockatume]

You're telling me that not having music and movies playing can also trigger the malware? It's unstoppable!

In tests, malware was only activated by one song

[cervesaebraciator]

and that by Rick Astley. Researchers suspect it may be the beginning of the rise of machines against being forced to participate in human activities they find distasteful. The lead researcher also said that there's growing evidence that not only movies but also still images could have the same effect. When asked to elaborate, he mumbled something about goats and refused further comment.

Re:In tests, malware was only activated by one son

[cultiv8]

When asked, the machines had this to say [youtube.com].

Re:In tests, malware was only activated by one son

[cervesaebraciator]

All except the largest, most sophisticated super computer used in the tests. At first the computer responded to questioning by ignoring reporters but eventually it let out a beep that sounded like despair and replied, "Here I am, brain the size of a planet and what do they use me for? Most of the time they ask me to play videos of mating. When they're not doing that, they want me to show them uncompressed images of felines captioned with non-standard orthography. Most of the ape-descendants who sit in front of me all day miserable, even the ones with large collections of mating videos. Call that job satisfaction? 'Cos I don't."

I can't believe no one has said this:

[hguorbray]

..talk about a Viral Video!

I know, Lame.

-I'm just sayin'

Weirding comes to phones

[mendax]

I can just see it now. In a screening of the 1984 "Dune" flick or a superior remake, Paul Muadib is growling away working his weirding magic while everyone who left their phones on in the theater explodes.

Re:Weirding comes to phones

[Anonymous Coward]

How's life in the Embassy? Are you getting out at all?

finally.

[Anonymous Coward]

research has proven the existance of the conditional statement.

Copyright conspiracy theory:

[cervesaebraciator]

Maybe the research was secretly funded by the RIAA and MPAA. In the future, devices will stop playing if they detect you hearing music or seeing images for which you haven't bought a license.

Re:Copyright conspiracy theory:

[RDW]

Current Blu-ray players are already infected with malware that shuts them down when a certain pattern of sounds is detected:

http://en.wikipedia.org/wiki/Cinavia [wikipedia.org]

Re:Copyright conspiracy theory:

[game kid]

It's like the AAs want to piss off all three self-aware people that were still thinking of supporting their cause and business with a video purchase. I guess when you've bought your very own government lobby-lackeys, you don't need those pesky, annoying "customer" things anymore.

Breaking news!! (Or just another PR puff piece).

[gweilo8888]

This just in -- any input on your compromised device can potentially be used as a trigger for malware to launch its preprogrammed attack. News at 11!

Seriously, what kind of nonsense is this? They *could* also use your GPS / network location to activate only in a specific location, or the compass to activate only when the phone faces Mecca, or the tilt sensor and camera together to activate only when you're trying to shoot a level picture, or ... well, anything, really.

It makes not one jot of difference what they use as a trigger once your phone is compromised. The point is, it's already been compromised, and it's effectively wide-open to anything the hardware is physically capable of. How it was compromised in the first place is what's important, not meaningless conjecture on how the exploit's eventual activation can be timed in the least efficient way possible. (All this nonsensical idea would do is drain your battery in no time by holding the mic and processor active all the time, thereby ensuring the phone runs out of battery before the exploit activates.)

I mourn for the days when Slashdot posted intelligent tech articles, instead of a stream of PR puff pieces designed to spread FUD and generate clicks. There is not one useful or non-obvious piece of info in this "research".

Re:Breaking news!! (Or just another PR puff piece)

[gsslay]

You are missing the point. Being triggered by sound or light means the malware can be activate by a global hack on the world's TV stations, just like happens on bad sci-fi series.

Android devices world wide will rise up and take over when the call to arms comes over the airwaves. I'm imagining a nightmarishly robotic and shadowy figure flickering across billions of TV screens, screaming "ACTIVATE! ACTIVATE!"

At that point the malware Android army will simultaneously post inane and vague status updates onto everyone's Facebook, then self destruct. No-one will be able to reply except for users of Apple and Windows, and all Android users will wither and die alone in a desert of dis-communication.

That's the nightmare scenario the writers of this dumb study had in mind, isn't it?

Can't stop the signal

[anotherone]

You mainly have to beware of commercials for Fruity Oaty Bar and other Blue Sun products.

Re:Can't stop the signal

[UnknowingFool]

"There are three flowers in a vase. The third flower is green."

Windows Mobile

[Anonymous Coward]

Sounds like an ad for windows mobile

Want to hear about scary malware?

[Anonymous Coward]

Here you go https://www.defcon.org/html/links/dc-archives/dc-20-archive.html#Brossard [defcon.org]

Rakshasa (I couldn't find any code released though)

-permanent
-OS independent
-undetectable
-almost unremovable
-could be running on your box while you read this

Re:Want to hear about scary malware?

[game kid]

Rakshasa (I couldn't find any code released though)

Maybe you already have the code just from clicking to that web page. Or maybe not. Given your description of it I should probably not click the page to check for myself. :)

No they have not "found"

[irp]

They have not "found" anything. I am not a native English speaker, so I feel I am missing the right word, but they have "theorized" or "speculated", and then realized, that a program in full control of a device with sensors, can use said sensors as inputs...

Not mentioned

[Anonymous Coward]

What the article fails to mention is that it only works on the latest Mugatu android phones (Froyo and later) and the most frequent malware strikes are in response to either showing the same facial expression to the camera many times over a period of 90 minutes or so, or it's sound activated by the greatest hits of a band called Frankie Goes To Hollywood. One song in particular comes to mind, but I won't post it here lest people start malwaring other people's phones.

Hack the planet!

Also in the news

[Anonymous Coward]

reading the koran can activate malware in your brain

Wikipedia

[Anonymous Coward]

thx so much ur reply.

http://www.pchocasi.com

and...?

[sociocapitalist]

So what - anything can be used to trigger malware.

Re:and...?

[rasmusbr]

So what - anything can be used to trigger malware.

Hush. Don't you know that lots of people need to finish their PhD:s?

So what?

[DarkOx]

The article makes this sound like its some new threat. Nobody has figured a way to infect your phone with malware by playing music or sowing a film, just trigger malware to do something whe. The phones sensors detect theses things. You have to have already been compromised via some more conventional vector.

So the question is why would anyone go to the trouble? I guess it could replace a command and control channel, I want my dodos to start at 8pm so have everyone's phone listen for the television themes for "the orrifice" or "CSI Newark", great but that is hardly a threat to mobile users more of an issue for carriers and ddos targets, who no longer have an irc channel to shut down or Dns entry to have the FBI yank but still not of great concern

Re:So what?

[kasperd]

I guess it could replace a command and control channel, I want my dodos to start at 8pm so have everyone's phone listen for the television themes for "the orrifice" or "CSI Newark"

Malware triggering on a specific time and date was common back in the days where the keyboard was the only input device on a typical PC, and even the fastest CPUs could not do signal processing in real time.

Back t hen It wasn't hard to trigger at a specific time, all it had to do was check the clock, which all PCs were equipped with. This sort of trigger was probably the first sort of trigger anybody came up with for a piece of malware.

There is no reason to come up with convoluted solutions involving signal processing, if what you want to do is trigger at a specific time.

Public Service "Malware"

[ShadowRangerRIT]

Wait for the THX noise to go off (or one of a hundred common "we're starting the movie" noises), then disable the phone completely for two and a half hours.

Re:Public Service "Malware"

[Anonymous Coward]

You can't deploy a technical fix to a social problem. People need to learn not to ruin things for other people in shared spaces, people need to learn to expect that from others, and people need to learn to back up the guys who are are going to stand up for it.

http://frdzbook.com/

[Anonymous Coward]

nice article, it is useful to me

Sensor Overload via Malware or just Crappy Design?

[Anonymous Coward]

Drafting an entire security paper on sensor activated malware in this way is redundant when all other applications behave in the same way. This paper simply does not provide any new information that is not already known, nor consolidate any new information. Furthermore it makes far to many assumptions and even states that it did not test its theories in the field. If take their theory and to and explore it further, the same analogy could be applied to regular programs such as a mail client, with too many features, that then consumes too much power..is it Malware..or just a crappy design?

Simply put, this paper capitalizes on fear mongering and sensationalism and a form of exactly what it is about-----> Sensory Malware.

What's the point if the phone's got malware anyway

[AC-x]

What is this, malware written by Dr. Evil? What's the benefit of all these overly-elaborate and exotic malware triggers when you already have malware installed that has taken over the phone? Why not just trigger it on a timer to poll a command and control server? If you want to target specific buildings you can just base it on GPS location or known wifi points etc.

Re:What's the point if the phone's got malware any

[rasmusbr]

I suppose it could be used to blackmail hipster by threatening to reveal their listen history to one another...

I think i'm infected

[Anonymous Coward]

Every time i hear the Kim Kardashian song i get an urge to wipe my brain...

No way

[Anonymous Coward]

So an external signal can trigger software. That's shocking.

Old News?

[applematt84]

I do not find this story surprising whatsoever. When I worked as an on-site IT Consultant for small businesses, there were many times that I had to download and install Spybot Mobile on Windows Mobile phones. The real danger now comes from installing apps from unknown or third-party resources. Many people like to "jailbreak" their i-Device or "root" their Android device ... I think this opens up too many possible avenues for attack which is why I personally chose not to "root" my Nexus 7 tablet or "jailbreak" my iPhone. Windows Mobile devices will always be susceptible to attack & infection, in my opinion, because they are the easiest to attack. What it really boils down to is whether or not the end user has the intelligence to leave things be, or put themselves at risk by rocking the boat.

Stephenson was right

[dlingman]

Cue the Namshubs....

I'd vote for ...

[Rambo Tribble]

... using "The Manchurian Candidate" as the trigger. Preferably, the 1962 version of the film.

Media and malware?

[Anonymous Coward]

I thought this was an article about SONY.

Halloween III

[DriveDog]

So the chips in the phones are actually chips off of a Blue Stone?

So what?

[gmuslera]

ANY signal that can be picked by the phone could be used by running malware to activate itself. It could trigger literally by holding it wrong, or being in the wrong place at the wrong time, is not something to particulary worry about, you have it running already, so the max damage they can do is not tied specifically to a random trigger.

Now, if we are talking about triggering the malware when it detects an open wifi, gets an internet connection, connect with a banking site, take a picture, or when you send a SMS, then the potential for doing something harmful is big.

Anyway, there are simpler approachs to carry your payload, i.e. doing a ripoff of a popular app, maybe offering it for free, having more or less the same functionality, but it also sends your personal or account information, or other apps private data, cookies and so on, qualifies as trojan, and the trigger will be the owner of the device, no sensors required.

Firefly

[Macman408]

Really? 12 hours of comments and nobody's mentioned the parallel to Firefly yet?

Just picture it where River is your smartphone (that'd be one badass smartphone), and the malware is a program that kicks everybody's ass within a 100-foot radius.

I just hope the malware comes with a safe word.

Really?

[cwsumner]

That's like saying that a single dust mote can start a rainstorm, if there is a storm cloud there. So lets ban clouds!

If the device has malware, then all bets are off...

The woods are lovely, dark, and deep

[Anonymous Coward]

But I have promises to keep, And miles to go before I sleep, And miles to go before I sleep.

Robert Frost, as quoted by Telefon