Skip to navigation
Latest News

Music and lights could trigger malware

digital music

By Shona Ghosh

Posted on 17 May 2013 at 17:11

Pulling out your phone in a cinema or a room with flickering lights could be enough to trigger malicious software on your smartphone, researchers have found.

Mobiles infected with hidden malware could be "triggered" if their in-built sensors – microphones, cameras or vibration sensors – picked up pre-defined signals hidden in songs, TV programmes or flickering lights.

Researchers at the University of Alabama ran a set of prototype apps on an HTC Evo running on Android 2.2.3 (Gingerbread) which could access the phone’s sensors. Aside from cameras and microphones, smartphones also contain sensors that can detect vibrations or magnetic fields, which the researchers said could be similarly compromised.

The embedded malware was programmed to remain dormant until the sensor picked up the relevant trigger – which could be anything from a song played over the radio to a specific pattern of flickering lights. Once triggered, the activated malware would then carry out the programmed attack, either by itself or as part of a wider botnet of mobile devices.

Since most antivirus software doesn’t monitor how apps use standard smartphone features like cameras and microphones, the researchers said malware programmed for sensors posed a huge risk.

"When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks," said lead researcher Dr. Ragib Hasan. "We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that."

Crashing the airport Wi-Fi

Since the trigger needs to be relatively close to the smartphone to active any hidden malware, any threats would be limited to the local environment. For example, since audio signals can only travel so far without interference, an infected smartphone would need to be somewhere contained, like the cinema, for an audio trigger to work.

But researchers found they only needed a short distance to transmit their triggers, and that they could even overcome background noise. There was also nothing to stop them activating multiple infected devices in one go, creating a localised botnet to wreak some highly concentrated mayhem.

For example, if there were a number of infected smartphones in an airport, hackers could use the wider botnet to launch a denial-of-service attack and bring down the building’s Wi-Fi or other systems. More seriously, they could interfere with aircraft radio signals to disrupt take-off or landing procedures. Other threats to safety could include interfering with a car’s navigation system or a household’s burglar alarm.

The researchers found that cameras and microphones were the most effective way to trigger malware, but also noted that a heavy bass pattern could trigger the vibration sensor. The emergence of NFC as a payment mechanism also poses a potential danger, since particularly unscrupulous hackers could attach magnets to NFC readers and trigger a phone’s magnet sensors. Although that means attacks would be limited, the researchers said they could still take place even if phones were kept in phones or bags.

Scouring sensor samples

The researchers focused on Android, namely because apps are allowed to run in the background and access features like the microphone "without restriction". Although they didn’t test iOS for similar weaknesses, they suggested that Apple’s restrictive policies might make it more secure.

As a possible defence, they suggested that anti-malware software should scan sensor data for signs of any hacks – though that isn’t foolproof since that’s a "heavyweight" operation, and many apps make legitimate use of sensors anyway. Another solution could be to track how much battery sensor-using apps take up, since anything using more than one would need more power.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments


Is this story a joke? It's chock full of ridiculous statements and implausible situations!

"When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks". Just think that through for a minute. The malware has to be already on your phone and the "arena or Starbucks" has to play exactly the right music. Not even a comedy villain would come up with a plan so convoluted and full of holes.

"More seriously, they could interfere with aircraft radio signals to disrupt take-off or landing procedures" - so if they could get the exact same malware onto enough phones, and they could get enough of those phones onto the same plane, and all those phones were somehow left on, and they could get a trigger to activate all those phones, they could *possibly* cause a plane to miss its take-off or landing slot! That is truly terrifying. It will keep me awake at night, possibly for several seconds.

Sorry, but I think you've been 'had'.

By nelviticus on 17 May 2013

Agree with the poster above

How is this any different from a botnet which listens for a command from the 'net?

Researchers have proven that you can use a programming language to program stuff. Keep up the good work.

By ChrisH on 17 May 2013

I'm surprised to hear this is coming from researchers at a university. I was sure this had anti-virus company written all over it.

By steviesteveo on 18 May 2013

Buzzword bingo!

Buzzword bingo!
nelviticus used the phrase 'paradigm shift'.
Personally, I'd rather repurpose user-centric deliverables ;-)

By AndyChips on 18 May 2013

What is happening to PC Pro?

Has PC Pro been infected by malware too? Where is the sensible journalism in this article? Whilst it may be possible in an extreme lab test experiment, in reality, there are so many factors to consider (including a critical eye - sadly missing from this report), let alone the music/lights being picked up by the sensors at the specific frequencies required. Still it comes from the University of Alabama, ranking a heady 451 in the world's "top" 2012 Universities. Off to buy a tin foil hat.

By isofa on 18 May 2013

What is the actual news here?

What they're saying is that software on phones can respond to external sounds and inputs? And that it is possible for software on phones to be malware? Just as well clever people are researching this stuff for us isn't it.

By halsteadk on 19 May 2013

Bogus story...

as the others have said, the story is bogus.

The sound and light cannot infect the machine, therefore the whole story is skewed. The phone first needs to be "infected" with malware, which then listens / looks for queues from outside.

As others have said, no different from any current bot, except it is "listening" through the sensors for its cues.

By big_D on 21 May 2013

Leave a comment

You need to Login or Register to comment.



Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.