Trojan Uses Motion Sensors To Steal Smartphone Data

Researchers have built a Trojan t hat uses Android’s built-in motion sensors to steal handset and bank card PINs

Motion-sensor data from smartphones can be used to effectively guess what keys a user is tapping and steal sensitive data such as PINs and bank details, according to new research (PDF) from Pennsylvania State University (PSU) and IBM.

The researchers developed a proof-of-concept Trojan for Android called TapLogger that uses a “training mode” to build up a database of key-click information before applying the information to refine its guesses as to what keys a user is tapping at any given moment.

Stealth attack

The software masquerades as an icon-matching game, and after the user has played 30 rounds it has access to more than 400 “tap events”, researchers said.

“When the user is interacting with the Trojan application, it learns the motion change patterns of tap events,” the researchers said in their paper. “Later, when the user is performing sensitive inputs, such as entering passwords on the touchscreen, the Trojan application applies the learnt pattern to infer the occurrence of tap events on the touchscreen as well as the tapped positions on the touchscreen.”

The study was carried out by Zhi Xu, a PhD candidate in the Department of Computer Science and Engineering at PSU; Kun Bai, a researcher at IBM’s T.J. Watson Research Centre; and Sencun Zhu, an associate professor of Computer Science and Engineering at PSU’s College of Engineering.

The research builds on the fact that smartphone applications don’t need any particular security clearance to access information from motion sensors. While their Trojan application was built for Android, the researchers said Apple’s iPhone also makes motion-sensor data available to unprivileged applications.

The Trojan works because of the correlations between tap events and the motion change of the smartphone, the researchers said.

Subtle changes

During a tap event, the acceleration of the smartphone changes due to the force of the finger on the touchscreen. The taps also cause the handset to make particular movements. For example, when the user taps on the left side of the screen, this may cause the handset to turn slightly to the left.

“By observing the gesture changes during a tap event, the attacker may roughly infer the tapped position on the touchscreen,” the researchers wrote.

The results may not be precise, but if the attacker knows contextual information such as the layout of the current view of the touchscreen, “he may be able to infer the user’s inputs (e.g. the pressed number button) with the inferred tap position”.

The paper, which was presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks last week, showed two feasible TapLogger-based attacks – guessing the PIN used to unlock the device and guessing a credit card PIN.

A University of California study last year (PDF) demonstrated a similar attack using software called TouchLogger, but TapLogger introduces a training mode and uses more orientation sensor readings, as well as applying the research to two practical attacks.

Android has been the focus of increasing security concern, with a report in February finding that the number of malicious apps targeting the platform increased by more than 3000 percent in 2011.

Last month the US’ National Security Agency (NSA) said it had built an ultra-secure Android handset allowing fully-encrypted calls connecting through NSA servers. The NSA said it plans to share some of the technology behind the smartphone, codenamed “Fishbowl”, for the creation of more secure Android handsets.

How well do you know Internet security? Try our quiz and find out!