Stealth game steals info from Android sensors

April 24, 2012 by Nancy Owano report
The attack overview

( -- No joke. A proof-of-concept application for phones running Android pretends to be a fun challenge asking the user to identify identical icons from a bunch of images. All the while the app monitors sensors to identify user information such as PINs and SS numbers. In brief, you are looking at a Trojan that can track what you type into your phone using your phone's motion sensors. The Trojan’s final feat is uploading the info on to the attacker’s controlled computer. The sensor-snooping app is called TapLogger and it was designed to prove a point: Android has yet another security design weakness that allows installed apps free access to motion sensor readings.

In the case of the rogue game, it picks up the phone‘s accelerometer, gyroscope, and orientation to infer digits entered into the device. Attackers would not directly get your keystrokes, but they would get the screen area where you tapped, and reference that with how that lines up with the digital keyboard. Ars Technica details how it works: “By logging the precise changes along three dimensions—azimuth, pitch, and roll—the makes educated guesses about the touchscreen regions that were tapped to generate the orientation changes. TapLogger then maps those regions to the user interface of the screenlock or dial pad of a specific Android phone.”

To crack a four-digit PIN using information from TapLogger, a thief can narrow the number of tries to 81 with an average of a 100-percent chance of success. Using TapLogger to crack a six-digit PIN generates a search space of 729 likely combinations with an average success rate of 80 percent.

The team from Pennsylvania State University and IBM who designed the Trojan app are Zhi Xu, a PhD candidate at PSU, Kun Bai, a researcher at IBM and Sencun Zhu, an associate professor at PSU. They presented their paper, “TapLogger: Inferring User Inputs On Smartphone Touchscreens Using On-board ” to the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks in Tucson, Arizona, which ran from April 16 to April 18.

If mobile sensors are the next big thing for the mobile device industry to pursue as new features, mobile sensors will also be the next big area for security thieves to exploit. The problem, say the researchers, is that thieves may get a head start toward an easy target. “While the applications relying on mobile sensing are booming, the security and privacy issues related to such applications are not well understood yet,” say the paper’s authors. “People are still unaware of potential risks of unmanaged sensors on smartphones. To prevent such types of attacks, we see an urgent need for sensing management systems on the existing commodity smartphone platforms.”

In implementing TapLogger as an Android application, the proof-of-concept app did not require any security permission to access the accelerometer and orientation sensors. While the team worked up an Android application, Android may not be the only platform at issue.“The fundamental problem here,” Zhi Xu told Ars Technica, “is that sensing is unmanaged on existing smartphone platforms." iOS devices are not vulnerable to such attacks, unless they are jailbroken. The authors did not discuss on-board sensors in Blackberry devices but they said,”We will address it in our future work.”

Explore further: Android Security Alert: Trojan GGTracker subscribes users to premium SMS services

More information: Research paper:

Related Stories

Android mug shots have no lock and key

March 4, 2012

( -- If Google loyalists will persist that this Internet Goliath can do no evil, they at least need to admit, based on new evidence this week, that Google can do a lot of mindless harm. A security door in Android ...

WalkSafe app shields smartphone pedestrians (w/ video)

November 28, 2011

( -- Smartphone users who as pedestrians are not very smart about crossing and looking both ways now have a protective shield in the form of an Android app which they can download for free. A research team from ...

Android users get malware with their apps

March 2, 2011

( -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was forced to removed ...

What is the price of free?

March 6, 2012

Scientists from the Computer Laboratory at Cambridge University have designed a method to improve privacy control in the Android apps market. The method reaches a balance between the need for developer’s revenue and ...

Recommended for you

Renewable energy has robust future in much of Africa: study

March 27, 2017

As Africa gears up for a tripling of electricity demand by 2030, a new Berkeley study maps out a viable strategy for developing wind and solar power while simultaneously reducing the continent's reliance on fossil fuels and ...


Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (2) Apr 24, 2012
A couple of workarounds to combat this...

You could minimise the sensor data by pressing your phone onto a flat hard surface before entering your pin.

Apps asking for pin numbers could put up a randomised number pad with the numbers not in their normal positions and different layouts each time.
2.6 / 5 (7) Apr 24, 2012
I guess in every mega company there is a secret basement department staffed with geeks whose job is to find and engineer demonstrable weaknesses of competitor's products, to torpedo their market shares. Perfectly legal, and making economic sense.
1 / 5 (1) Apr 24, 2012
nice work a***oles, do you also tell your kids about Santa?
not rated yet Apr 24, 2012
And if every company does it, sooner or later, the flaws in their own products will also be revealed. Thus, it also makes consumer sense.
1 / 5 (2) Apr 24, 2012
Apps asking for pin numbers could put up a randomised number pad with the numbers not in their normal positions and different layouts each time.

They should, and a few online games also do that, mainly to prevent automated bots but also to prevent people looking over your shoulder and seeing what number you put in
not rated yet Apr 25, 2012
Apps asking for pin numbers could put up a randomised number pad with the numbers not in their normal positions and different layouts each time.

They should, and a few online games also do that, mainly to prevent automated bots but also to prevent people looking over your shoulder and seeing what number you put in

My bank does something like that for passwords. The pin is still keyboard activated, but there's also an additional password mode when you log in with some random numbers and letters and you need to click the ones to spell out your password.
not rated yet Apr 25, 2012
"it also makes consumer sense."

buy more and be happy!
not rated yet Apr 25, 2012
It just proves that the open market needs a 'safe to use apps' certificate and the ability of android to set application rights to use sensors.
not rated yet Apr 25, 2012
The fundamental problem is that Android doesn't require permission to access sensors the same way it requires permission to access GPS, to use the vibrator motor, to access the camera, etc.

Correcting this problem is technically very easy; the only challenge will be backwards compatibility with existing applications, which is probably why Google hasn't fixed this yet.
5 / 5 (4) Apr 25, 2012
Wait.. what about Santa?
5 / 5 (1) Apr 25, 2012
Wait.. what about Santa?

He was going to get you a new Android phone, now he is not sure anymore.
not rated yet Apr 26, 2012
More important Google should allow the Android user to install a Firewall!

It is now impossible to root one!?

The only reason Google doesn't allow this, is money?
not rated yet Apr 29, 2012
nice work a***oles, do you also tell your kids about Santa?

The alternative is to go for 'security by obscurity' - which is the worst possible security mechanism.

There are people out there who will want to use anything they can get their hands on for profit. Better to expose weaknesses in the system than to wait until they do.

My solution: Don't get a smartphone. They're overpriced gadgets chock full of useless 'apps'. Get a phone.
not rated yet Apr 29, 2012
You could probably get the same situation with the microphone and camera. Even a magnetic compass may sense metal moving with the finger typing. I guess the password entry applications should just disable all inputs and other running background apps.
1 / 5 (1) Apr 29, 2012
@hsvt its not google that disallows rooting, they even release a special phone that is easy to root.
Its the phone carriers that protect against rooting for legal reasons.
Your phone has a limited cell tower communication law. You carrier is not liable because they prtoect against rooting.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.