Thought experiment. 😶
How do scammers obtain TAC by calling your phone.
1. A camera in a store, bank, or landlord caught you typing a password, phishing, or an 0 day exploit such as StrandHogg 2.0 (https://promon.co/resources/downloads/strandhogg-2-0-new-serious-android-vulnerability/, https://www.xda-developers.com/strandhogg-2-0-android-vulnerability-explained-developer-mitigation/).
2. The attacker calls you.
3. You pick up the phone and answer it.
4. The attacker records your voice.
5. The attacker converts your voice to an inaudible form of Hey Google/Siri pattern (Dolphin Attack, https://dl.acm.org/doi/pdf/10.1145/3133956.3134052, https://www.securityweek.com/siri-alexa-google-now-vulnerable-ultrasound-attacks, https://www.helpnetsecurity.com/2020/03/03/ultrasonic-waves-access-cellphones/).
6. The attacker puts or delivers an ultrasound device near you.
7. Now your phone is triggered to run commands by asking Hey Google or Siri in ultrasound. You don't realise it because humans can't hear ultrasound. See the demonstration video, get TAC by voice (I may use typing since my speaking is bad). It has not been tested for ultrasound. The commands used: "Silent" -> "Dim the screen" -> "Open SMS app" -> "Send screenshot to 0133743923" -> "Please send" -> "Send".
8. If the attacker already has the victim's bank password, they just need to read the TAC SMS instead of exploiting other commands . Or reset the password via the leaked ATM card ID and password.
Note:
Step #6, Direct voice transmission via phone call does not work because
Google Assistant will not trigger since the Dialer app already uses a
microphone.
