3

Suppose my smartphone has been compromised and there is malicious software running on it. You can assume that the malicious software has broken out of any sandboxes and is running as root.

If I'm on a phone call, can the malicious software change what I'm hearing? Can it modify the audio of the phone call? In other words, can it mount a man-in-the-middle attack on the audio channel of a phone call that I place from my smartphone or that I receive on my smart phone?

Also, can the malicious software eavesdrop on the phone call, i.e., can it record the audio of the entire call?

I realize this might be a little bit "science-fiction-y". Still, I'm interested in whether it is possible, even in principle. Or is there some fundamental barrier that would make it difficult or impossible for an attacker who has compromised the software on my smartphone to mess with my phone calls like this?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • The term for this is actually [Man-in-the-Mobile](https://en.wikipedia.org/wiki/Man-in-the-browser#Man-in-the-Mobile). (Though it is perhaps not as widely used as MitM.) And yes, the software running on your phone essentially has complete control over the data coming into and out of that device. – Ajedi32 Mar 29 '16 at 17:41

2 Answers2

6

Yes, the "phone" itself is an application. It can be hijacked or replaced entirely. In fact, Android handsets are DESIGNED to do this so that you can automatically use a VOIP provider when making phone calls if you so desire. Malware with complete device control could simply place itself as such a service and when you dialed a call, it would be connected through VOIP and the attacker.

Even without doing this, the microphone and speaker are also controlled by software and there isn't any reason that it couldn't record the input and output from there either if it has sufficient privileges to the system.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Are you sure? Can you elaborate on how this works, what permissions are required, and what APIs would be used? I've researched this a bit further, and it looks like third-party apps (such as VOIP apps) *are* able to intercept outgoing calls, but *not* incoming calls. In particular, if you have the `PROCESS_OUTGOING_CALLS` permission, you'll be notified of all outgoing calls and can block them. However, in recent versions of Android, there appears to be no way to programmatically answer an incoming call and tamper with the audio stream. What have I missed? – D.W. Jan 30 '14 at 22:55
  • As far as software control of the microphone and speaker: can you elaborate? Are the microphone/speaker controlled by the application CPU, or by the modem/baseband chip? There's software, and then there's software. A lot of the telephony stuff is controlled by the baseband/modem chip, which I believe is harder to penetrate than the application CPU (apps run on the application CPU). I don't know phone architecture well enough to know what controls the speaker and microphone. Do you know how that works, well enough to say whether an app can do a MITM attack on speaker and microphone data? – D.W. Jan 30 '14 at 22:58
  • Another way to ask this would be: Do you know of any demonstration exploit, and how does it work? What you say seems like it could be plausible, but it would be interesting to actually see it done to confirm whether this kind of attack is truly possible -- and on what devices it does/doesn't work on. – D.W. Jan 30 '14 at 23:02
  • @D.W. there are different dialers provided by different manufacturers. The actual connection to the cell network is done through the radio, but the speaker and mic run through Android and the CPU. I know there are replacement dialers that you can install, though I'm not sure how deep of access is needed. It might require actually replacing kernel components, but that is theoretically possible if you are rooted and the bootloader is unlocked. – AJ Henderson Jan 30 '14 at 23:59
  • OK. I wonder if this is still possible if the phone is not rooted and the boot loader is not unlocked. I wonder what is possible. Sounds like it might make a good project to try to work out to what extent of a threat there is. – D.W. Jan 31 '14 at 00:21
0

As already pointed out, the technical aspect of a basic MitM attack on a voice call are plausible.

The hardest part of attacking a normal voice call would probably be faking the voice itself. If you're calling someone whose voice you recognise then the attacker would need to either fake their voice/accent convincingly or have enough previously-recorded samples from them (and you) to quickly give meaningful responses in the conversation. Doing that in real time so that you don't notice any delay seems like a really hard (and interesting) problem! A latency of more than 200ms would be annoying if not suspicious. It's a far-cry from substituting some text in an email or on a webpage.

Perhaps that's the part you thought sounded science-fiction-y.

James Bradbury
  • 2,017
  • 19
  • 27