Researchers at the University of Alabama recently identified a new way for cybercriminals to activate dormant mobile malware through a phone’s sensors. The embedded malware was programed to remain dormant until the sensor picked up the relevant trigger – which could be anything from a song played over the radio to a specific pattern of flickering lights. SC Magazine reporter Shona Ghosh reported on the findings and wrote, “Pulling out your phone in a cinema or a room with flickering lights could be enough to trigger malicious software on your smartphone.” Once triggered, the activated malware would then carry out the programmed attack, either by itself or as part of a wider botnet of mobile devices.
“We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that,” said lead researcher Dr. Ragib Hasan. Although this is simply a proof of concept attack, it certainly leads to new questions of what the future of mobile malware will bring.
We’ve discussed the risks of losing a device and sensitive corporate data through theft and leaky apps, but a new BYOD threat is now being explored. What happens when a corporation is served with a request for information as part of a legal procedure? Most organizations don’t know what data employees are creating and keeping on their devices, so how could the data be searched and retrieved? CITEworld’s Matt Rosoff wrote about this growing concern: “Classifying data and having smart data policies in place are important. But the key to addressing the problem is more mundane: Training.”