Malware turns smartphones into corporate spying tools

While only a lab concept, the exploit could find its way into the business environment.

A new strain of malware has been developed that enables the hacker to use the smartphone's sensors to steal information from the physical environment, such as taking photos of sensitive corporate information or eavesdropping on confidential conversations.

Researchers from Indiana University and the Naval Surface Warfare Center have developed "visual malware" called PlaceRaider that allows attackers to engage in remote reconnaissance with the smartphone's camera.

Exploiting the camera capability, PlaceRaider can construct three dimensional models of indoor environments, study the environment, and steal financial documents, information on computer monitors, and personally identifiable information, the researchers explained in their paper.

They said their malware can introduce an invasive strain of visual malware, reconstruct spaces from smartphone images, develop tools to aid virtual burglary, and carry out and evaluate virtual theft.

The researchers targeted Google's (NASDAQ: GOOG) Android phone in their study, although they explained that the exploit could be carried out on any smartphone, including an Apple (NASDAQ: AAPL) iPhone and Microsoft's (NASDAQ: MSFT) Windows Phone.

While the PlaceRaider malware is currently only in the lab, the smartphone vulnerability it exploits could be targeted by hackers to develop similar malware to steal valuable corporate information.

In response to the researchers' work, Robert Enderle, president of Enderle Group, cautioned that the Android platform is "downright unacceptable in any area where privacy is a concern."

Enderle wrote in a CIO article that smartphones "that have been jailbroken, use side-loaded applications that bypass the Google Play store, or come from vendors who have aggressively moved against personal privacy should likely be barred by your corporate bring your own device (BYOD) policy unless their security can be assured by some other process."

Androids have the reputation of being less secure than iPhones and Blackberrys, particularly when it comes to the risks of malware infecting the phone from a downloaded application. While banning the Android smartphone in the workplace is not an option, IT administrators need to be particularly careful of the Android's risks and implement appropriate technology and policies to deal with them.

For more:
- check out the researchers' paper
- read Enderle's CIO article

Related Articles:
Employee mobile device use opens up firms to malware risks
iPhone 5 vulnerable to same attack that breached iPhone 4 at hacker contest