Android malware uses motion to log keystrokes

Impact and angle of touch can reveal key presses, with enough statistical analysis

An Android app that pretends to be a game challenging Android users to identify the two identical icons on a screen of confusers is actually digital spy that uses the phone's motion sensors to identify the keys a user punches so it can collect sensitive user information such as Social Security numbers, bank accounts and PINs.

TapLogger isn't a real Trojan – at least it's not one that's been released to prey on Android users.

It's a proof of concept designed to demonstrate another Android security weakness: installed apps get free access to motion sensors and other data they can use to find the really sensitive information.

The game in TapLogger uses a phone's accelerometer, gyroscope and orientation sensor to infer what keys a user was pressing according to Ars Technica.

The exploit is similar to one developed in August called TouchLogger, which tested the ability of malware to capture keystrokes using only sound and changes in the electromagnetic field generated by the phone for indicators.

"Our insight is that motion sensors, such as accelerometers and gyroscopes, may be used to infer keystrokes," according to a paper describing the theory, which was presented at the HotSec '11 security workshop in San Francisco in August.

" When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed," the paper read. (PDF)

The method seems haphazard, and is, at first. Over time, as the Trojan monitors user activity and changes during specific functions it learns to recognize changes in motion, position or other variables that indicate typing, and the vibrations that indicate where on a virtual keyboard a key was actually pressed.

Noting differences in taps and analyzing them statistically gives the Trojan a pretty accurate idea of what is being typed so it can record passwords and other data, the TapLogger paper said.

TapLogger may be the second motion-sensing exploit published as an app, but Android isn't the only smartphone OS with poor security on its motion sensors.

RIM has similar sensors and controls that could be incorporated, as do jailbroken iOS devices, the authors wrote.

The flaw exists "probably due to the assumption that data collected by motion sensors is not sensitive," the researchers wrote. Nearly any third-party app installed on an Android phone can also access the motion sensors and, if it's smart enough, the user's passwords as well.

The exploit requires more work than most, in statistical analysis and working with motion sensors, if nothing else.

The security picture for Android is not so tight, however, that inferring a keystroke from the felt motion of a phone is the only way to collect the data.

Android phones data leak in lots of ways; this one is just the most interesting to hit the web today.

Now savvy users have to beware of their physical position as well as their digital risk profile, just like in the real world.

I guess it's not enough to put a piece of electrical tape over the webcam on your laptop any more.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon