April 25, 2012, 3:07 PM — An Android app that pretends to be a game challenging Android users to identify the two identical icons on a screen of confusers is actually digital spy that uses the phone's motion sensors to identify the keys a user punches so it can collect sensitive user information such as Social Security numbers, bank accounts and PINs.
TapLogger isn't a real Trojan – at least it's not one that's been released to prey on Android users.
It's a proof of concept designed to demonstrate another Android security weakness: installed apps get free access to motion sensors and other data they can use to find the really sensitive information.
The game in TapLogger uses a phone's accelerometer, gyroscope and orientation sensor to infer what keys a user was pressing according to Ars Technica.
The exploit is similar to one developed in August called TouchLogger, which tested the ability of malware to capture keystrokes using only sound and changes in the electromagnetic field generated by the phone for indicators.
"Our insight is that motion sensors, such as accelerometers and gyroscopes, may be used to infer keystrokes," according to a paper describing the theory, which was presented at the HotSec '11 security workshop in San Francisco in August.
" When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed," the paper read. (PDF)
The method seems haphazard, and is, at first. Over time, as the Trojan monitors user activity and changes during specific functions it learns to recognize changes in motion, position or other variables that indicate typing, and the vibrations that indicate where on a virtual keyboard a key was actually pressed.
Noting differences in taps and analyzing them statistically gives the Trojan a pretty accurate idea of what is being typed so it can record passwords and other data, the TapLogger paper said.
TapLogger may be the second motion-sensing exploit published as an app, but Android isn't the only smartphone OS with poor security on its motion sensors.
RIM has similar sensors and controls that could be incorporated, as do jailbroken iOS devices, the authors wrote.
Motion sensor live wallpaper