Researchers use Google Now to call expensive premium rate numbers

Spread the love

Researchers have misused a part of Google Now, Google Voice Search, to let the phone call expensive premium rate numbers or use SMS services without the user’s permission. Thanks to the trick, the malware app does not require any permissions.

Since the app does not require permissions, even advanced users should not ring any alarm bells when installing the app. Once installed, even if the phone is idle and has security, the app can invoke Google Voice Search through an “intent.” Via an audio file, a command can then be pronounced with which premium telephone numbers can be called or private data can be retrieved, report the researchers at Cornell University. They call it the ‘GVS hack’, after Google Voice Search.

Thanks to the trick, which the researchers have tested on a Samsung Galaxy S3, a Meizu smartphone and a Motorola device, it is probably possible to access a lot of private data on all Android smartphones with Google apps. There are, however, the necessary snags: for the trick to work, the app must audibly play an audio file.

The researchers have tried in various ways to work around this, but that does not work: for example, Google Voice Search, since Android 4.1 part of Google Now, does not accept high-frequency audio that people cannot hear. Manipulating the data afterwards also does not work; the connection between Voice Search and Google servers is secured with tls.

The implications of the discovery are small: any malware that uses this trick should play the audio file, allowing users to discover it. The researchers do not rule out the possibility that VoicEmployer, as they call the app, could also work in modified form on iOS or Windows Phone.

You might also like