Newly released malware PlaceRaider sounds like science fiction: It’s Android malware designed to build 3-D models of users’ apartments for burglars and assassins. But PlaceRaider–developed by a team at Indiana University–is very real. The new malware was built as an academic exercise, and it exposes security flaws that government agencies would love to use. More importantly, it also exposes unintended mobile functionality that large companies like Google could easily monetize.

PlaceRaider, which was summarized in a recent arXiv paper, is a piece of “visual malware” which smartphone cameras, accelerometers, and gyroscopes, to reconstruct victims’ rooms and offices. The trojan runs in the background of any phone running Android 2.3 or above, and is hidden in a photography app that gives PlaceRaider the necessary permissions to access the camera and upload images. Once installed, PlaceRaider quietly takes pictures at random that are tagged with the time, location, and orientation of the phone. PlaceRaider also, of course, mutes the phone’s shutter sound.





This is where the fun begins. Once pictures are taken, PlaceRaider’s algorithms filter out dark or blurry photos and upload the rest to a central server. As pictures are uploaded onto the central server, they are knitted together into a 3D model of the indoor location where the pics were taken. If a user’s credit card, bank information, or personal information happen to be out in the open–all the better. End users will also be able to get the full layout of a victim’s office or room.

The project’s chief architect, Robert Templeman, also works at Indiana’s Naval Surface Warfare Center. In tests, Templeman and his team had twenty participants recruited on a college campus unknowingly install PlaceRaider on their phones–participants were initially told they were participating in a study on smartphone use–and the software was automatically set to take 1MP pictures without the user’s knowledge.

Once PlaceRaider had mapped out a test room (with planted financial and personal information) that was used in a study, a separate group of participants were able to use the 3D models created by the software to successfully find the financial data, bar codes, and QR codes that Templeman’s team had planted. In their paper, Templeman’s team notes that object recognition, image matching, and machine learning algorithms could easily be adapted to PlaceRaider’s code.

Even more than the scary aspects of Android Malware, the Indiana University team has successfully used an Android phone as an impromptu 3D mapping tool-one that is also useful for architecture, design, and many other fields. It’s not too far fetched; smartphone software that watches and analyzes you as you sleep has already been developed. The next step, possibly? Google Maps for your apartment.