As is typical, many are heralding it as a sign of a smartphone security apocalypse, but they need to calm down. Cybercriminals simply aren't that smart, and there's nothing new to be worried about.
The so-called Soundminer malware listens in on phone conversations and uses speech recognition to decode credit card and PIN details that users might mention when calling their bank, as an example. DTMF tones heard when keys are pressed are also recognized and decoded.
The data is then passed to another piece of malware, called Deliverer, which sends it off to the hacker's HQ via the Internet.
The clever part is how the two pieces of malware bypass Android's built-in security.
Individual permission is required from the user for each newly-installed app that wants to access a specific hardware component.
A program that wanted permission to access the microphone and also send data would be a little suspicious, so Soundminer only requests to use the microphone. The Deliverer malware only requests to send data.
Data exchange between the two programs would also be viewed as suspicious, so they use system communication channels built into Android that are designed to share system settings information. These only allow a handful of bytes to be transferred, but that's enough for a credit card number.
Soundminer could be hidden in simple app that, for example, required microphone access permissions in order to make an on-screen balloon blow-up based on how much the user shouted. Deliverer could easily be integrated into a simple game that requests data transmission permission in order to report high scores, for example.
In all, Soundminer is a well thought-out and ingenious piece of programming.
And that's why we'll never, ever see anything like it in the real world.
Criminals always prefer a quick and dirty approach. It's one of their defining characteristics
There are two ways to rob a bank. You could get a job there and embezzle money secretly. Or you can run in, wave guns, and run out as quickly as possible with bags of money.
Guess which is more popular?
Sophistication, subtlety, and mastermind intelligence is limited to the movie criminals. The most successful criminals in the real world are those who keep things simple, and cybercrime is no different.
I'm not suggesting we underestimate cybercriminals but the chances of them creating something as clever as Soundminer are extremely limited. It took a team of university researchers to come up with Soundminer, working at the City University of Hong Kong and Indiana University.
Ultimately, why would cybercriminals want to bother with something as elaborate as Soundminer, when they can just send phony e-mails that catch-out gullible users and rake in the money?
Good malware doesn't need to be clever or well made. It just needs some way of fooling people into handing over useful personal details, which history has proved is actually pretty easy. It also needs some way of travelling around from device to device and, crucially, there's nothing new in the Soundminer research to indicate how this might be done.
Soundminer highlighted some design flaws within Android, that hopefully will get addressed quickly, but there's really nothing else to cause concern.
Security companies are hailing 2011 as the year smartphone malware goes mainstream but we should guard against such pronouncements. The more scared we are, the more likely we are to buy malware protection products. We can't trust the word of people who are trying to sell us something.