A team of researchers have devised an experimental Android-based Trojan called TapLogger that can manipulate the mobile onboard motion and orientation sensors to crack stored passwords. Motion and orientation sensors can also utilise the vibration sensor of a mobile device, which could then activate a Trojan to capture keyboard inputs using a malicious keylogger.
TapLogger exploits accelerometer and orientation sensor data which as we know isn’t sandboxed and doesn’t enforce permission controls under the Android security model. The motion and orientation sensors are exposed to any app, regardless of permissions. This TapLogger Trojan could also be developed for iOS (iPhone) and BlackBerry (touchscreen and non-touch screen models) as these operating systems also don’t include the motion sensor in their security models.
It works on the assumption that when you tap the screen you are actually moving the mobile device. By moving the mobile device the Trojan (and this includes using different touchscreen gestures), could assist an attacker to use an inferred position on the screen to exploit an attack. If the attacker knows the context of the tap events (which utilises unique patterns of tap events in terms of changes of acceleration) and the screen layout, the Trojan could infer the user’s inputs with the inferred tap position. This means device pins, passwords and pattern logins would definitely be compromised.
Right now this threat isn’t in the wild, but it does highlight a potential evolution in mobile threat management. In my opinion, motion sensor app permission security (and this includes looking into locking down API access), may well be worth some further investigation.
Safe surfing folks!