Smartphone trojan steals motion sensors' data

TapLogger is just a prof-of-concept trojan for Android, but the issues it exposes for the smartphone world and smartphone-tailored security practices couldn’t be more practical: the trojan uses data coming from motion sensors of a phone to infer security code numbers tapped by the user on the on-screen virtual keyboard.

Created as part of a research study by students and scientists of Pennsylvania State University in collaboration with IBM, TapLogger disguises itself as an icon-matching game where the users have to play 30 different rounds engaging in more than 400 “tap events”.

These first tap events, the study explains, are the trojan’s “training mode” that let it records enough sensor data to infer what virtual keys the user will be pressing afterward. The “trick” works because of the very slight changes to the smartphone acceleration and position while using a virtual keyboard: “By observing the gesture changes during a tap event – the researchers say – the attacker may roughly infer the tapped position on the touchscreen”.

This “rough” inference, it turns out, is enough to try and build up a couple of practical attacks: not only the Penn researchers developed the trojan code, they even used TapLogger to guess the PIN number (used to protect the tested handheld) and a credit card PIN as demonstrated at the ACM WiSec conference held in Tucson, Arizona.

The not-so-secure Android mobile-OS has now another issue to deal with, but it isn’t alone: the researchers explain that even if they have developed the TapLogger code for the Google OS, the same “leaking sensors” problem can be applied to Apple iOS (iPhone/iPod/iPad). It’s the entire security model of unrestricted access to sensors’ data given to unprivileged apps that should be reformed for good.

Report a problem with article
Previous Story

Apple executive quits Instagram over Android expansion

Next Story

ITC judge finds Microsoft's Xbox infringes on Motorola patents

5 Comments

Commenting is disabled on this article.

Very interesting proof of concept.

Just goes to show what people can figure out how to do, kinda cool idea really.

Simple fix I guess, the kernel shuts off sensors at password screen or when entering sensitive data;

Auzeras said,

Simple fix I guess, the kernel shuts off sensors at password screen or when entering sensitive data;

Would be pretty hard to do tbh. What about sites like Amazon where you have to enter your credit card info? How would the kernel know?

-Razorfold said,

Would be pretty hard to do tbh. What about sites like Amazon where you have to enter your credit card info? How would the kernel know?

You could store your card details in your Amazon account so all you need to do is login (the browser already knows it is a password field on the login screen so should be easy enough to turn sensors off).
This does mean that you have to trust the vendor with your card details though - millions of people seem to trust Amazon...

-Razorfold said,

Would be pretty hard to do tbh. What about sites like Amazon where you have to enter your credit card info? How would the kernel know?

Can be done by detecting it's using a secure connection.