Khuong Nguyen, a researcher at the centre, and his PhD student – Robert Choudhury, have recently published new findings on the vulnerabilities found on smartphones for malicious software despite the tightening of permissions for software to access the device’s information. This research will be published at the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022).

Malicious software (malware) is designed to circumvent the security policy of the host device, such as mobile smartphones and tablets. In recent years, smartphones represent an attractive target to malware authors as they are often a rich source of sensitive information, including personal details. Attractive targets for attackers are sensors (such as cameras or microphones) which allow observation of the victims in real-time.

To counteract this threat, there has been a tightening of privileges on mobile devices’ sensors, with app developers being required to declare which sensors they need access to, as well as the users needing to give consent.

However, this research offers unique evidence, by surveying publicly accessible malware analysis platforms, highlighting that there are still implementations of sensors that are trivial to detect without exposing the malicious intent of a program.

The research also demonstrates that, despite recent changes to the permission model by Google, it is still possible for malware to identify if it is running in a security analyst’s sandbox or on an actual consumer’s device, with the novel use of the Android’s Activity Recognition API.