A recent article at http://www.thinq.co.uk/2011/1/20/android-trojan-captures-credit-card-details/#ixzz1Bb8RGsWS describes how an attack against Android based phones might be able to capture your credit card information even when you speak it into the phone. The interesting thing about this proof of concept is not that the application can capture voice details, but rather that it uses a second application to transmit the captured information.
Google designed Android so that certain communications were limited between applications, but the researchers found a way around that. Instead of directly sending the information from one program to another, they use a clever form of Morse code. Morse code was probably the first widely accepted binary form of communications. Dots and dashes are no different than ones and zeros. One application changes something like the screen brightness and another reads the screen brightness. Let’s say that full illumination is a dot, and anything less is a dash. By making minor modifications in how bright the screen is a lot of data can be transferred between programs without the user probably noticing it.
It will be interesting to see if this attack can be used against other smart phones as well.
Yes, use your Android or other smart phone for purposes that actually enhance your quality of living, but be careful about what applications you install. Ask yourself if you really need another application. The best choice is usually not to install a lot of software that you know very little about.
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC
Author ESET Research, ESET