A new malware variant has been detected that is capable of listening to a user’s phone calls, identifying the caller’s gender and identityand even acknowledge to some extent what was said.
Fortunately, the good news is that the malware was part of a research experiment conducted by white hats and did not pose a risk to smartphone users (at the time).
Researchers from five U.S. universities (Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University) teamed up to create EarSpy.
abusing hardware
EarSpy is a side-channel attack that abuses the fact that smartphone speakers, motion sensors, and gyroscopes have gotten better over the years.
The malware attempts to read the data captured by the motion sensor as the endpoint’s headset echoes during the conversation. In earlier years, this wasn’t a viable attack vector because the speakers and sensors weren’t as powerful.
To prove their point, the researchers used two smartphones — one from 2016 and one from 2019. The difference in the amount of data collected is significant.
To test whether the data could be used to identify the gender of a caller and recognize speech, the researchers used a OnePlus 7T device and a OnePlus 9 device.
The callers’ gender identity for the former ranged from 77.7% to 98.7%, while the callers’ gender identity ranged from 63.0% to 91.2%. Speech recognition bounced between 51.8 percent and 56.4 percent.
“Since there are ten different categories here, the accuracy is still five times better than random guessing, which means that vibrations induced by the earphones have a sizeable and distinguishable effect on the accelerometer data,” the researchers explain in the white paper.
The researchers were also able to guess the gender of the caller fairly well on the OnePlus 9 smartphone (88.7 percent on average), but the recognition rate dropped to an average of 73.6 percent. Speech recognition rates dropped 33.3 percent to 41.6 percent.
pass: beep computer (opens in a new tab)