Fortunately, the good news is that the malware is part of a research experiment done by white hats and poses no risk to smartphone users (at the time).
Researchers from five universities in the United States – Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University – teamed up and built EarSpy.
Abusing the hardware
EarSpy is a side-channel attack that abuses the fact that smartphone speakers, motion sensors, and gyroscopes, had gotten better over the years.
The malware tries to read the data captured by motion sensors, as the endpoint’s ear speakers reverberate during a conversation. In earlier years, this wasn’t a viable attack vector as the speakers and sensors weren’t that powerful.
To prove their point, the researchers used two smartphones – one from 2016, and one from 2019. The difference in the amount of data gathered was quite obvious.
To test if the data could be used to identify the caller’s gender and recognize the speech, the researchers used a OnePlus 7T device, and a OnePlus 9 device.
Caller gender identification on the former was between 77.7% and 98.7%, while the caller’s identification between 63.0% and 91.2%. Speech recognition danced between 51.8% and 56.4%.
“As there are ten different classes here, the accuracy still exhibits five times greater accuracy than a random guess, which implies that vibration due to the ear speaker induced a reasonable amount of distinguishable impact on accelerometer data,” the researchers explained in the whitepaper.
The researchers were also able to guess the caller’s gender quite well on the OnePlus 9 smartphone (88.7% on average), but identification fell to an average of 73.6%. Speech recognition fell between 33.3% and 41.6%.
- Here’s our take on the best Android antivirus apps today