Proof-of-concept Android Trojan uses motion sensor to determine tapped keys
Researchers design an app that analyzes subtle smartphone movements to infer what's being typed on touchscreens
IDG News Service - A team of researchers from Pennsylvania State University (PSU) and IBM have designed a proof-of-concept Android Trojan app that can steal passwords and other sensitive information by using the smartphone's motion sensors to determine what keys victims tap on their touchscreens when unlocking their phones or inputting credit card numbers during phone banking operations.
The Trojan horse is dubbed TapLogger by its creators and was designed to demonstrate how data from a smartphone's accelerometer and orientation sensors can be abused by applications with no special security permissions to compromise privacy.
TapLogger was created by Zhi Xu, a PhD candidate in the Department of Computer Science and Engineering at PSU, Kun Bai, a researcher at IBM T.J. Watson Research Center and Sencun Zhu, an associate professor of Computer Science and Engineering at PSU's College of Engineering.
Accelerometer and orientation sensor data are not protected under Android's security model, and this means that they are exposed to any application, regardless of its permissions on the system, the research team said in a paper that was presented during the ACM Conference on Security and Privacy in Wireless and Mobile Networks on Tuesday.
The TapLogger application functions as an icon-matching game, but has several background components that capture and use data from the motion sensors to infer touchscreen-based user input.
When certain regions of the touchscreen are tapped during the normal phone operation, the device experiences subtle moves. For example, tapping somewhere on the right side of the touchscreen, will cause the phone to tilt slightly to the right.
These phone movements are picked up by the motion sensors and can then be analyzed to build patterns corresponding to specific tap events when performing certain actions, like when typing the screen unlock PIN or entering the credit card number during a phone call.
After installation, TapLogger runs in training mode and collects motion sensor data while the user plays the icon-matching game. This is necessary because tap-generated movements can be different for every phone and user.
After it has collected enough data, the Trojan app builds tap event patterns and starts using them to infer user input during targeted operations.
"While the applications relying on mobile sensing are booming, the security and privacy issues related to such applications are not well understood yet," the researchers said in their paper, noting that other motion sensor-based attacks have been demonstrated in the past.
In August 2011, a pair of researchers from University of California proposed a similar attack and designed a concept application called TouchLogger to demonstrate it.
However, compared to TouchLogger, TapLogger uses additional orientation sensor readings and introduces the training mode for device-specific data. It also features stealth options and supports two practical attacks -- inferring screen unlock passwords and credit card PIN numbers, the new Trojan's creators said.
Another motion-sensor-based attack was presented in October 2011 by a research team from the Georgia Institute of Technology, who used data from an iPhone 4's accelerometer and gyroscope to infer what was being typed on a computer keyboard positioned near the device.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Protection for Every Enterprise: How BlackBerry Security Works Get an IT-level review of BlackBerry® Security, addressing data leakage protection, certified encryption, containerization and much more.
- Future Focus: What's Coming in Enterprise Mobility Management (EMM) Find out why Enterprise Mobility Management (EMM) solutions that are truly future-ready must be designed to enable Machine-to-Machine (M2M) capabilities and much more.
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Workforce Mobilization for Improved Productivity A mobility research director from Aberdeen discusses reasons for extending legacy applications to mobile devices, and an integration strategist from Attachmate shows how...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Mobile/Wireless White Papers | Webcasts