So the user was not alerted, the research team avoided surreptitiously taking videos as the battery drain might be noticed. Instead, the malicious mobile app muted the camera shutter as it took random images, and then stamped the time and location on each photo. The camera snapped one picture every two seconds. The software automatically deleted any blurry or dark images that were below the quality threshold before uploading them to the PlaceRaider command and control server. While most Androids have camera resolutions above 8 megapixels, as seen in the image below, they opted for a lower resolution of 1 megapixel to avoid the additional cost to handle and store all that extra data.
Templeman wrote [PDF], "PlaceRaider thus turns an individual's mobile device against him- or herself, creating an advanced surveillance platform capable of reconstructing the user's physical environment for exploration and exploitation."
Malware such as PlaceRaider could be wrapped and hidden away within another otherwise legitimate app. "These remote services can run in the background, independent of applications and with no user interface." Although the researchers used the Android platform for the visual malware, they said, "we expect such malware to generalize to other platforms such as iOS and Windows Phone."
One of the suggested defenses was to check any app permissions before installing, but the researchers said if PlaceRaider was embedded in a camera app, then it would not require escalating privileges. A camera app would ask for the same permissions as the Trojan needed.
Templeman concluded, "We conceptualize a mode of attack where opportunistically collected data is used to build 3D models of users' physical environments. We demonstrate that large amounts of raw data can be collected and define novel approaches that can be used to improve the quality of data that is sent to the attacker. We offer PlaceRaider, an implementation of a virtual theft attack and through human subject studies demonstrate that such attacks are feasible and powerful."
Remotely exploiting your smartphone camera is certainly scary stuff that could wreak destruction on both a privacy and security level while it covertly steals a person blind. During an interview about the visual malware app on 720 WGN, security researcher Apu Kapadia said PlaceRaider made him paranoid about his phone. Yet when he looked, he couldn't find any smartphone camera covers. If this gets out in the wild, maybe there would be a market for that . . . or else people might use a tiny piece of masking tape?
If interested, you can download the PlaceRaider cryptography and security research paper from Cornell University Library.
Sign up for CIO Asia eNewsletters.