Once again, Android is in the limelight for malware, this time it’s a trojan horse installed on the device that is triggered by outgoing calls, that has the ability to store credit card numbers that are input either via touch tone (DTMF decoding) or by analysing voice input and then converting it to text. The application, Soundminder, is a relatively small application weighing in at just over 1MB and uses minimal permissions to capture, store and analyse any information that is input via voice or the dial-pad. It takes roughly 15 seconds to convert the voice audio into actual numbers and then the information is stored to be used at a later time. Enter the partner in crime to Soundminder, Deliverer. Deliverer is a tiny application that uses network permissions to transfer the captured information to a hosted server so the attacker can view the credit card numbers.
Together, the applications use a covert method of transferring the data back and forth. Since Android uses sandboxing and separate user accounts for each running process, it is very hard for applications to share information without explicitly requesting permissions. Since Soundminder has write access to certain hardware, it can adjust device settings such as LCD timeout, ringer volume and other seemingly innocuous values. Deliverer can then read the values, obtain the information and send the stored credit card numbers to an attacker.
Soundminder has less invasive permissions than other applications in the Android Market, so it would be extremely easy for a user to assume it to be safe and install it. Hopefully Google can find a way to list permissions on a lower item level, so users can see exactly what API calls an app has access to.
See below for the video.