MALICIOUS YOUTUBE VIDEOS COULD HIJACK PHONES WITH HIDDEN VOICE COMMANDS
Malicious YouTube videos could potentially trick smartphones into installing malware, according to security researchers.
Experts from the University of California and Georgetown University said secret instructions in online content could trigger devices’ voice features and make them execute commands.
Videos could contain noises recognisable to smartphones that could manipulate assistants like Google Now and even prompt them to visit websites containing malware.
Even worse, all this could be done without any awareness on the victim’s part. In a video demonstrating the attack, the researchers showed how they could make an Android phone open webpages and turn on its airplane mode using recordings.
“Under the white-box model, the attacker has full knowledge of the internals of the speech recognition system and uses it to create attack commands that we demonstrate through user testing are not understandable by humans,” they say on their website.
However, security experts say it is unlikely the attack will become common.
“Luckily, this attack isn’t likely to become widespread,” explained McAfee’s chief consumer security evangelist Gary Davis in a blog post. “So far, researchers have only demonstrated its potential – criminals haven’t actually been discovered using it.
“Additionally, there are easier methods for crooks to implement on a mass scale. However, the discovery is poignant, given the prominence of vocal recognition today.”
As a precaution, he advised users to turn off their devices’ always-on vocal recognition modes and avoid clicking on suspicious videos when browsing online.
Previously, two researchers showed how Siri and Google Now could be silently manipulated by radio waves to perform commands if devices’ headphones were left plugged in.
Although the attack could be implemented without the victim’s knowledge, the researchers said it relied on specific circumstances and only had a range of about two metres.