Trojan droppers are regularly ranked among the top 5 worst malware threats; especially for Android. Software for malware detection opts to either identify the payload when executed in memory or detect the connection from which droppers attempt to download malicious payloads. Much effort has been put into securing network channels and stopping droppers from delivering their payloads. This paves the way for alternative routes of infiltration. Our paper extends work on inaudible sound covert channel attacks and audio fingerprinting to use them for close vicinity attacks as potential mass dropper techniques. We demonstrate that malware modules can be dropped over the air to multiple devices using the same sound medium from approximately four to five meters away. Instead of using network connections, we conceal the malware within musics inaudible frequencies. Then we use a seemingly innocent app that implements an algorithm similar to Shazams audio fingerprinting to transmit the payload over the devices microphone and execute it. To accomplish this, we combine Short-Time Discrete Fourier Transform, peak frequency mapping and dilation techniques to a Meterpreter payload as fluctuations in magnitude within inaudible frequencies. To our knowledge, there is currently no technique capable of transmitting payloads to multiple neighboring systems without discrete network connections between the payload remote location and the device. We, therefore, present realistic attack cases and provide solutions for these attack vectors, including modulation and high-peak compression of sound dependent channel frequencies.
Read full abstract