New Android attack allows listening to calls remotely

According to experts in vulnerability testing, users of mobile devices with Android operating system face multiple threats on a daily basis. From malicious applications to exploits on the operating system, hackers are constantly developing new ways to compromise the security of these devices.

Now, there has been reported the existence of a new method for listening to phone calls known as Spearphone, which involves using the motion sensors of a smartphone to intervene the audio output of the speakers.

A group of vulnerability testing experts from the University of Alabama, Birmingham, found that any motion sensor (or accelerometer) is able to capture any audio content that arrives through a device’s speakers when using the speaker during a call.

Because a smartphone’s motion sensors are always on and apps do not request permission to use it, any malicious software could record audio reverbs in real time; this can also be recorded or sent to a location controlled by hackers.

Vulnerability testing experts tested this attack on three different smartphone models, the LG G3, the Samsung Galaxy Note 4 and the Samsung Galaxy S6. These devices were selected because the speakers and accelerometer are located relatively close to each other, making it very easy to detect audio vibrations.

Although it is relatively easy for a sensor to detect audio, the method to access this data is missing. According to the experts, it all depends on the permissions of the applications installed by the user. “There is a known vulnerability associated with the motion sensors of a smartphone, as these devices do not have any restrictions on reading the logs of an accelerometer; virtually any application can access and read this data,” the experts say.

According to experts from the International Institute of Cyber Security (IICS), any situation in which a user makes a speaker call becomes a potential attack scenario. In addition, the extraction of information is not limited to the user’s calls, but hackers can also extract data from any application that plays audio, such as music, videos, queries with the Google assistant, among other services.