Dubbed PlaceRaider, the malware is built for Android 2.3 Gingerbread and above. It masquerades inside the photo app, and quietly takes pictures that are tagged with time, location and accelerometer-based directional information, unbeknownst to the user. Photo recognition capabilities highlight financial data inside the photo, like checks, credit cards, financial documents, information on computer monitors and other personally identifiable information.
Then, PlaceRaider constructs rich, three-dimensional models of indoor environments. Remote burglars can thus 'download' the physical space, study the environment carefully and steal those virtual objects of interest from the environment.
The school of Informatics and Computing at Indiana University and the Naval Surface Warfare Center developed the trojan as a cyber-espionage and virtual theft experiment, verified through two human-subject studies. The idea is to highlight the effectiveness of using mobile devices as powerful surveillance and virtual theft platforms, and the pioneering of possible defenses against such visual malware.
“A new strain of 'sensor malware' has been developing that leverages these sensors to steal information from the physical environment, e.g., researchers have recently demonstrated how malware can 'listen' for spoken credit card numbers through the microphone, or 'feel' keystroke vibrations using the accelerometer,” said researchers. “Yet the possibilities of what malware can 'see' through a camera have been understudied.”
Visual malware was also a threat in the recently discovered pre-installed malware in Windows PCs coming out of China. That code made use of a computer’s built in camera and speakers to take stock of a victim’s surroundings.