A group of researchers at the Black Hat DC Conference has shown a new way of attacking laptops and smartphones, just by plugging the phone into PC via USB. They have developed a low-profile Trojan horse program for Android that steals data, with little chance of getting traced by antivirus software. This makes use of USB-connected smartphones masked as a mouse or keyboard instead of a phone, and takes control of the computer to steal data.

But that’s not the only Trojan in the house this week.  Another piece of malware, called Soundminer, monitors phone calls and records when a person says or dials a confidential number, such as credit card number. A study done by  Roman Schlegel of City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang of Indiana University in Bloomington, Indiana has brought out some shocking results with regards to this malware.

“We implemented Soundminer on an Android phone and evaluated our technique using realistic phone conversation data,” they wrote. “Our study shows that an individual’s credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real.”

Two Android antivirus software were used to identify  Soundminer, including VirusGuard from SMobile Systems and Droid Security’s AntiVirus, but both of them failed to identify it as malware even when it was recording and uploading data.

On the defending side, Google informed via an email that it has designed Android to minimize the impact of “poorly programmed or malicious applications if they appear on a device.”

“If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device,” Google said. “Applications deemed to be in violation of our policies are removed from Market, and abusive developers can also be blocked from using the Android Market for repeated or egregious violations of our policies.”

Mobile security is becoming a big topic of discussion, with attention shifting to smartphones as ripe opportunities for attack.  The security tools around mobile devices aren’t as mature or established as in the PC world, and Android in particular is being targeted for malware and criticism.  A report from Cisco this morning highlighted this shift to the mobile world, and as the security industry steps in to address Android’s rising issues, stories like this become marketing fodder for new antivirus products.

Nevertheless, it’s an important concern to address, and many companies are taking a closer look at the matter.  Here we have a report from Commtouch, outlining recent malware behavior over the holiday season, while the recently funded Lookout continues to build security services specifically for the mobile sector.