PlaceRaider reveals why Android phones are a major security risk

PlaceRaider is malware created by the United States Navy to showcase Android vulnerabilities.

PlaceRaider activates a phone’s camera and forces it to take pictures almost constantly. The originator of the malware uses the pictures to create a 3D image of the phone’s location without the owner’s knowledge and by bypassing any physical or personal security measures.

PlaceRaiders showcases a significant problem with smartphones cameras. The access permissions that PlaceRaider requires are no different than those of a typical “innocent enhanced camera applications,” Naval Surface Warfare Center says, so a user could voluntarily install a “safe” application from an official app store without thinking of the implications. It would be hard for the owners of infected smartphones to know what’s happening, too, as the first indication would likely be excess data charges on the monthly bill.

Now, if the phone is in a pouch, pocket or purse, the risk is low, since the camera is unlikely to capture useful images. The risk manifests when someone is using the phone and the camera can see its surroundings. With an older phone that can’t multitask, the risk of exposure is limited, since the phone should not be able to run the malware while on the call. Even for phones that can’t process data and voice calls at the same time, though, the risk is real, as the phone could cache the pictures and then batch them when it can make a data call.

While the risk with this particular app is only visual, malware that tracks audio could effectively bug every phone running Android 2.3—the version the researchers worked with—and listen to all private conversations occurring within its range. Moreover, some of these phones have made significant advancements in noise cancellation that can even make conversations in a crowded room understandable. (Charging an Android phone in the bathroom or bedroom, then, is a bad idea.

While it’s doubtful the U.S. Navy will release this app into the wild, it is likely that some other group may release a similar application—after all, the capability to capture a celebrity or politician accidentally making news, or to get critical intelligence on a foreign government, rival political party or business competitor, brings massive power. It also suggests that any smartphone may eventually be at risk, and that the only appropriate long-term fix may very well be the ability to ensure that monitoring software can’t be used on phones in