Guess who is listening in to the board meeting: on the use of mobile device applications as roving spy bugs

Abstract

AbstractCovert listening devices—a combination of a miniature radio transmitter and a microphone—have been used as key espionage instruments as early as the mid‐20th century. More recently, hackers have started exploiting inherent weaknesses in current mobile platforms allowing them to remotely convert a victim's smartphone device into a roving spy bug without his knowledge. The goal of this paper is to illustrate with the aid of an Android mobile platform application that permissions gained in a legitimate way can be used to evade the integrity and privacy of the mobile device and install malware that remains completely hidden. When the attacker makes a call to the victim's phone, he is able to listen in to the victim's surroundings transforming the mobile phone into a sophisticated covert listening device. This communication‐level attack goes undetected by current detection mechanisms. An anomaly‐based detection feature set is another contribution of this paper to mitigate the proposed attack. As more and more mobile devices are being rapidly integrated into enterprises with the increase in bring‐your‐own‐device model in many organizations, without a rigorous security screening policy, this weakness tends to facilitate corporate espionage by presumably allowing as many spy bugs in the board meeting as there are attendees with mobiles. This work provides a demonstration of a dangerous espionage attack targeting smartphones whereby an attacker can, with the aid of an Android mobile platform application, make a call to the victim's phone and listen in to the victim's surroundings transforming the mobile phone into a sophisticated covert listening device. It also proposes and evaluates a defense technique to detect and mitigate the attack where existing security mechanisms fall short. Copyright © 2015 John Wiley & Sons, Ltd.