Software infecting the running system could send packets received via audio to localhost. I'm not saying it's likely, but it's a remotely plausible explanation for the article's description of the attack and investigation.
Software infecting the running system could send packets received via audio to localhost.
Hm. I suppose this is theoretically possible, but I don't see why it would be done in a practical sense. If the malware needs to "phone home", it doesn't need to send packets via localhost; it just sends them out on whatever interface is connected to the Internet. (But how would you distinguish those packets from any others being sent out to the Internet?) If the malware is divided up into multiple processes that need to communicate with each other, why would they betray themselves by connecting via localhost? If they are on OS X or Linux, they can use Unix sockets, which don't need to go through any network interface. If they are on Windows, they can use any of several Windows IPC mechanisms that don't require a network interface.
