Researchers have developed a proof-of-concept Android program that can literally keep an ear out for credit card numbers.

Dubbed Soundminer, the software uses the phone’s microphone to listen for credit card numbers spoken aloud, or typed into the phone, Forbes reports. It was developed by six researchers at Indiana University and the City University of Hong Kong, who plan to demonstrate it next month at a security symposium in San Diego.

The team set out to show how even a smart user — one who doesn’t give unknown programs access to their keyboard or web browsing — can be tricked. If a strange application asks for access to their phone’s microphone instead, they may be less inclined to think it could steal their data. As they speak or type credit card numbers, Soundminer then records their information.

The software also doesn’t require access to a network connection to transmit data. It instead relies on a sneaky “covert channel” — one that allows apps to send small bits of data to other apps — to forward the stolen information to an app called Deliverer, which in turn sends the data to a hacker. According to the researchers, the Deliver app could be installed automatically upon Soundminer’s installation.

“The covert channels that the researchers identify include the phone’s vibration, volume, and screen wake-up settings, all of which are shared with other applications when they’re changed,” writes Forbes’ Andy Greenberg. “By tweaking those settings in a certain pattern, Soundminer sends a simple secret code to Deliverer, which in turn passes it on to the hacker. And because Soundminer extracts the credit card number from the audio track rather than transmit the entire file, it only has to share 16 digits with Deliverer, easily small enough for its subtle communications to the other malicious app.”

Being the product of researchers, and not malicious hackers, Soundminer’s real purpose is to expose the security flaw in Android. In their paper on Soundminer (PDF link), the researchers propose that users can disable audio feedback noises, and Google could implement better app permissions, to plug the security exploit.

Check out a video of Soundminer in action below:

