PlaceRaider. The name sounds like a gamer tag someone would use on Xbox. It isn’t a gamer tag, however. (Well it might be but not in the context of this article.) PlaceRaider is the name of a new malware developed by Robert Templeman from the US Naval Surface Warfare Center in conjunction with a few people from Indiana University. And damn is it scary. So scary, in fact, that it is being described as “malware designed to steal your life”.
Categorized in a new class as “visual malware”, PlaceRaider infects smartphones in the form of a malicious app. Once installed, PlaceRaider runs in the background and continually secretly takes photos using the camera on smartphones. (PlaceRaider mutes phones so as to not make a shutter sound when photos are snapped.) These photos are then sent to a remote server which filters the photos to remove dark or blurry images (such as photos taken when a phone is in a pocket) and creates a 3D model out of the remaining ones. Since this 3D model is made from photos taken from a smartphone (i.e. photos of the target person’s surroundings), the model potentially contains sensitive and personal information — such as credit card numbers, computer activity, etc. This information is stolen by analyzing the 3D model.
Currently PlaceRaider has been developed to work on Android 2.3. However, seeing as the malware doesn’t exploit any specific Android vulnerability but rather tricks users into installing the app, Templeman sees no issues with it being ported to other platforms such as iOS or Windows Phone:
We implemented on Android for practical reasons, but we expect such malware to generalize to other platforms such as iOS and Windows Phone.
Templeman also mentions that while he and his team designed PlaceRaider to take photos, it is possible to do the same thing with videos.
Since this was developed by a research arm of the US Navy, there isn’t too much to worry about seeing PlaceRaider appear in-the-wild. While I’m sure the Navy will use this technology for warfare and intelligence gathering purposes, I highly doubt they would release it on the general public. However, if Templeman and friends can develop something like this, it isn’t hard to imagine that someone else can, too — someone else that may release the malware in-the-wild for devious purposes.
This is yet another reason to be careful about what you install on your smartphone because, after all, it may be small but it is a full-blown computer.