New Android Attack Lets Apps Capture Loudspeaker Data Without Permission

Author: Mario Petkovski

Personal data collection without any permission has been a popular term in recent times. Giant internet companies such as Facebook and Google faced problems with privacy breach and personal information leaking through their platform.

Just because the internet has become part of our everyday life and technology is evolving fast, the world starts facing this problem for the first time. Personal data information has become very valuable and it is used for creating advertising campaigns and targeting certain people. Data mining is so popular that it surpassed the value of oil and it is growing day by day.

That is why so many hackers and companies try to gather more data from users in order to use that data in other activities. Governments from all around the world still do not have the right law regulations for preventing this kind of activities.

The problem is that no one reads the terms and conditions before they sign in at any platform which makes them vulnerable for any personal data leaks. Due to the problem with personal information leaks that Facebook had with Cambridge Analytica, shown in the latest documentary The Great Hack, they agreed to pay the highest penalty ever imposed on any other company of $5 billion.

In recent times hackers targeted sensitive loudspeaker data throughout 1300 Android apps without any permission. App developers abuse multiple ways around in order to collect locations of users, phone identifiers, MAC addresses without the users knowing about it.

However, in the past month cybersecurity researchers have found out a new side-channel attack that could allow malicious apps to access the voice coming out of your smartphone’s loudspeaker without requiring any device permission.

The attackers take advantage of a hardware-based motion sensor which is called accelerometer. This piece of hardware is installed in most of the Android phones and any app installed on the device can take advantage of it with zero permissions.

This spyware is built in order to track the motion of the device such as tilt, shake, rotation, swing and etc. by measuring the time rate of change of velocity with respect to magnitude or direction.

The loudspeaker is placed on the same surface as the accelerometer and it produces surface-borne and aerial speech reverberations in the body of the smartphone. This enables the attacker to record speech reverberations using the accelerometer. Even though it cannot record any voice recordings, it can capture signals which can be processed with machine learning techniques in order to receive the full conversation.

By using this technology attackers can find out the favorite music of users, loudspeaker conversation, recorded messages and anything else going through the loudspeaker.

Additionally, some technology experts claim that these vibrations from the loudspeaker are not powerful enough in order to trigger the motion sensor, even though researches tested this situation and the accelerometer captured response.

Big tech companies already started to test new changes on their new devices introducing some limitations such as low sampling rate and variation in maximum volume and voice quality in order to prevent the accelerometer to capture any readings.

This could be a major issue for many users and it could lead to enormous private information leaking. Since we use the mobile phone speaker every day, hackers could easily pull out any information about users and use that data against them.

With artificial intelligence and machine learning technology, they can learn the signals and translate them in full voice messages. Apple is also a target for hackers as recently a man plead guilty for hacking Apple Accounts of NFL players. Some of the over 1400 athletes attacked by the breach are currently NFL MVP 2019 favorites.

Surely this could be prevented for future phones but the question about the safety of our loudspeaker conversations still remains.

From Around the Web