Researchers at Penn State and IBM have developed a malicious Android application that's capable of stealing user data with the help of the device's embedded motion sensors.
"The team created an experimental app called TapLogger [PDF file], which is based on the premise that when you tap on your touch screen, you're not just interacting with the screen, but moving the entire device," writes The Verge's Andrew Webster. "So if you hit a button in the upper right corner, your phone will actually move in that direction slightly, and that subtle movement is then read by the accelerometer and other sensors built-in to your device."
"The software masquerades as an icon-matching game, and after the user has played 30 rounds it has access to more than 400 'tap events,' researchers said," writes TechWeekEurope's Matthew Broersma. "'When the user is interacting with the Trojan application, it learns the motion change patterns of tap events,' the researchers said in their paper. 'Later, when the user is performing sensitive inputs, such as entering passwords on the touchscreen, the Trojan application applies the learnt pattern to infer the occurrence of tap events on the touchscreen as well as the tapped positions on the touchscreen.'"
"The researchers designed TapLogger to run on [an] Android-based handset because of its popularity," writes V3.co.uk's Gareth Morgan. "But they noted it would be possible to create alternatives for iOS and BlackBerry handsets, because like Android, those systems do not require security permissions to access the accelerometer and orientation sensors used in the attack. 'The fundamental problem here is that sensing is unmanaged on existing smartphone platforms,' said the researchers."
"In August 2011, a pair of researchers from University of California proposed [PDF file] a similar attack and designed a concept application called TouchLogger to demonstrate it," notes Computerworld's Lucian Constantin. "However, compared to TouchLogger, TapLogger uses additional orientation sensor readings and introduces the training mode for device-specific data. It also features stealth options and supports two practical attacks -- inferring screen unlock passwords and credit card PIN numbers, the new Trojan's creators said."