RESEARCH ARTICLE Guess who is listening in to the board meeting: on the use of mobile device applications as roving spy bugs Zahid Anwar * and Waqas Ahmad Khan National University of Sciences and Technology, Sector H-12, Islamabad, Pakistan ABSTRACT Covert listening devices—a combination of a miniature radio transmitter and a microphone—have been used as key espi- onage instruments as early as the mid-20th century. More recently, hackers have started exploiting inherent weaknesses in current mobile platforms allowing them to remotely convert a victim’s smartphone device into a roving spy bug without his knowledge. The goal of this paper is to illustrate with the aid of an Android mobile platform application that permissions gained in a legitimate way can be used to evade the integrity and privacy of the mobile device and install malware that re- mains completely hidden. When the attacker makes a call to the victim’s phone, he is able to listen in to the victim’s sur- roundings transforming the mobile phone into a sophisticated covert listening device. This communication-level attack goes undetected by current detection mechanisms. An anomaly-based detection feature set is another contribution of this paper to mitigate the proposed attack. As more and more mobile devices are being rapidly integrated into enterprises with the increase in bring-your-own-device model in many organizations, without a rigorous security screening policy, this weakness tends to facilitate corporate espionage by presumably allowing as many spy bugs in the board meeting as there are attendees with mobiles. This work provides a demonstration of a dangerous espionage attack targeting smartphones whereby an attacker can, with the aid of an Android mobile platform application, make a call to the victim’s phone and listen in to the victim’s surroundings transforming the mobile phone into a sophisticated covert listening device. It also pro- poses and evaluates a defense technique to detect and mitigate the attack where existing security mechanisms fall short. Copyright © 2015 John Wiley & Sons, Ltd. KEYWORDS spy bug; covert listening; Android malware; GSM bug; spying *Correspondence Dr Zahid Anwar, National University of Sciences and Technology, Sector H-12, Islamabad, Pakistan. E-mail: zahid.anwar@seecs.edu.pk 1. INTRODUCTION Covert listening devices also known as spy bugs have tradi- tionally been specially designed hardware devices. Take, for example, the GSM Spy Bug N9 Sinosky Technology Co., Ltd, Shenzhen, Guangdong, China. [1], a 6.4-oz, 3-day standby battery powered, global system for mobile commu- nications frequency-operated audio bug available commer- cially over the counter for approximately $40. The N9’s two greatest limitations are difficulty of deployment at the right time and place and ease of detection via the use of wire- less frequency scanners and electromagnetic field sweeping devices. Recently, mobile phones and associated equipment are performing the additional function of spying devices. The advantages of low cost, mobility, and deception are ob- vious. Frequency scanners are powerless against this new breed of spying devices because they, in any case, emit wire- less frequencies for their regular function. Recently, security experts hacked a Verizon femtocell sold by (Verizon Com- munications Inc., New York, NY, U.S.A) and manufactured by (Samsung, Seoul, South Korea) or mobile network ex- tender to act as an eavesdropping device. According to the report [2], a group interested in potential mergers might place a backpack with such a device in Manhattan restaurants frequented by investment bankers. In April 2013, a spy ap- plication repackaged as an Android-based mobile messaging client named Kakao Talk was sent to a prominent individual in the Tibetan political community via a social engineering attack email [3]. Once installed, the spy application was able to harvest contact information, short message service (SMS) message history, and geolocation of the victim and upload the information to a file server controlled by the hacker. The increased capabilities of smartphones have inspired interest toward the development of applications for next- generation mobile platforms. Smartphones bring the mobil- ity of traditional cell phones and the power of desktop SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8:2813–2825 Published online 9 February 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1205 Copyright © 2015 John Wiley & Sons, Ltd. 2813