Researchers at CA Technologies claim to have uncovered a Trojan which could make the work of so-called 'phone hackers' a lot easier: installed on an Android handset, it silently records all incoming and outgoing calls.
The app, which claims to be a useful package called Android System Messenger, runs quietly in the background of any handset on which it is installed. When calls are made, it triggers a recording function that captures the audio and saves it to a file in the heavily compressed AMR format.
These small files - a few kilobytes per minute - are then uploaded to a remote server for the attacker to listen to at his or her leisure. From a user's perspective, nothing untoward has happened, although the more eagle-eyed may spot increased data upload activity if they have a third-party monitoring tool like 3G Watchdog installed.
The Trojan dumps its files in a folder called 'shangzhou' on the SD card as a temporary storage location prior to uploading, apparently named for a district in China itself named for King Zhou of Shang, the last king of the Chinese Shang Dynasty, suggesting a Chinese connection for the app.
The app's core function - call recording - is one emulated by legitimate apps such as CallRecorder, but the Trojan's use of misdirection places it firmly in the 'malware' category. Thankfully, the app doesn't appear widespread, and is not available on the Android Market.
"As it is already widely acknowledged that this year is the year of mobile malware, we advise smartphone users to be more logical and exercise basic security principles while surfing and installing any applications," writes Dinesh Venkatesan on CA's research blog. Those basic security principles should extend to reviewing the permissions that an app requests on installation, he explains.
The Trojan reveals its true intention by requesting the 'Phone calls' permission, which grants it the right to 'intercept outgoing calls [and] read phone state and identity.' Without that permission, freely yet mistakenly granted by the user on installation, the software would be unable to monitor the call.
"It is always recommended to have logical decision making before allowing an app to have certain permissions," Venkatesan writes, highlighting that perhaps user error - or Google's failure to make the permissions dialogue more explicit in what each step allows - is the biggest threat to smartphone users' security.