There's malware that can steal your social networks and now there's malware that can steal your virtual world in order to steal from your in-real-life-world as well. Military researcher Robert Templeman from the Naval Surface Warfare Center in Crane, Indiana, and a team from Indiana University, created a super creepy Android app called PlaceRaider; it runs in the background on the Android 2.3, Gingerbread operating system. The sensory malware covertly taps into the phone's camera to capture photos which attackers can stitched together to recreate a 3D image of the victim's surroundings and then steal any sensitive information in view. This new "threat to the privacy and physical security of smartphone users" was dubbed "virtual theft."
Malware that utilizes a smartphone's sensors to steal sensitive information from the target's physical environment has previously been developed. Soundminer monitors phone calls and steals credit card numbers either spoken or entered onto the keypad. Another example uses a smartphone accelerometer; spiPhone eavesdrops on the sound of your fingers typing on the keyboard to detect pairs of keystrokes and determine what you're typing. The creators of PlaceRaider, a "novel visual malware," said sensor malware that remotely exploits a mobile phone's camera has been "understudied."
According to the abstract of PlaceRaider: Virtual theft in physical spaces with smartphones:
Through completely opportunistic use of the camera on the phone and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments. Remote burglars can thus download the physical space, study the environment carefully, and steal virtual objects from the environment (such as financial documents, information on computer monitors, and personally identifiable information). Through two human subject studies we demonstrate the effectiveness of using mobile devices as powerful surveillance and virtual theft platforms, and we suggest several possible defenses against visual malware.
To test if the visual malware would work and capture images other than the ceiling or a person's pocket, the Indiana University team handed out infected Android phones to a group who was unaware of the malware. Not only were they able reconstruct 3D models of the users' surroundings, they were able zoom in and commit "virtual burglary," meaning they could steal credit card numbers, checks, calendars, documents and other sensitive information such as from a computer screen - anything that the camera could pick up on in the users' environment. If you carry your phone to the bedroom or somewhere while you were undressing, it would expose a lot more than your documents to an attacker.
Sign up for Computerworld eNewsletters.