Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords

judgecorp writes "TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses information from the phone's motion sensor to deduce what keys the user has tapped (PDF), thus revealing otherwise-hidden information such as passwords and PINs."

yikes!

[noh8rz3]

We talk often about mobile viruses and I've become somewhat inured to it (another malware embedded in rogue angry birds? yawn). But this is scary, brave new world scary.

Re:yikes!

[kthreadd]

Not scary, open!

Re:yikes!

[hierophanta]

+1 good vocabulary

Re:yikes!

[jeffmeden]

Are you kidding? If you have a rogue app on your device it's probably going to find a way to steal all kinds of information. This is nothing more than a pretty interesting new use for motion sensors. It is not, however, any surprise that a rogue app can have whatever it wants from your smartphone, motion sensors or not.

Re:yikes!

[tchuladdiass]

The reason this is significant is that apps are usually installed with limited access to items it doesn't need. So normally a bad app won't be able to steal passwords, or lift your address book, unless you give it permissions. This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.

Re:yikes!

[masternerdguy]

Until it can be installed remotely or by some kind of drive by download, this isn't a problem. People who run any APK they find deserve to catch nasty diseases.

Re:yikes!

[noh8rz3]

You mean, people who run any APK they find deserve to infect their friends and colleagues with nasty diseases? Cuz I can't say I agree with that sort of laissez fairs attitude. Surely in the name of public health we should expend a little effort helping those who won't help themselves.

Re:yikes!

[AmberBlackCat]

I wonder how hard would it be to issue an update that only allows accelerometer data to be passed to the app in the foreground.

Re:yikes!

There are plenty of legitimate reasons to need accelerometer data in the background though. One app I use frequently logs data while I am jogging. I don't want it to stop logging if I have my music player or map in the foreground.

Re:yikes!

[PuZZleDucK]

... deserve to infect their friends and colleagues with nasty diseases? ...

It's malware, but it's _not_ a virus, so I don't know why you'd be concerned with friends and colleagues catching anything.

Re:yikes!

[noh8rz3]

no, this is a new vector for malware. could be virus, or etc.

Re:yikes!

> people who run any APK they find deserve to infect their friends and colleagues with nasty diseases?

And how do they do that, pray tell? AFAIK, there are no such remote exploits for Android and all the Android malware are trojans depending on users to install it and allow to do things to their phones.

Re:yikes!

[Eraesr]

I'm pretty sure most people don't look at what access they grant an app when they install it anyway. The whole "this app needs these permissions" screen on Android is worthless as a large scale (as in: for the majority of users) security measure.

Re:yikes!

[william+smith6161]

really amazing

Re:yikes!

[aiht]

no, this is a new vector for malware. could be virus, or etc.

No, it isn't. This is a technique that could be used by malware after it's installed. In no way can it help malware to install itself. Do you actually know what vector means, in the context of diseases or viruses?

Re:yikes!

I agree. And there is no stupid way to selectively say YES/NO to those permissions. Either you can accept the whole bunch of permissions of you can reject and choose to not install the application. Some permission manager apps are available but usually the application just force closes. It might be more helpful if such permission managers would provide runtime stubs for necessary functions so they can really be useful.

Re:yikes!

[MikeBabcock]

I don't think you understand the concept -- this functionality could easily be hidden in a legitimate app with motion sensing capabilities, like a step counter or a level.

Swype

[Pat+Attack]

I wonder if it would work on those of us who use a Swype keyboard. Then again, I do tap out my passwords. A thought: If you randomize the keyboard for password entries, that would make it harder to discern from malware like that and the over-the-shoulder attack.

Re:Swype

You can store 4 or 5 letters of your password in groups as swipe dictionary words, then swipe your password pausing between each group, it won't enter a space between them.

Re:Swype

[x1r8a3k]

I have a slide out physical keyboard on my phone. I think thats the simplest way to defeat this.

Also this seems to only be able to get the location of taps and infer what you've typed. What if I'm using a non standard keyboard layout?

Re:Swype

[PickyH3D]

Not to attack the idea, but wouldn't a randomized keyboard slow down your typing as you search for the keys, thus enabling the shoulder-surfer to watch as you struggle? I agree that would likely beat the Malware assuming that the malware reading your motion sensors can't also figure out what keyboard is being displayed.

Re:Swype

[Qzukk]

What if I'm using a non standard keyboard

They have merged it with a game to calibrate it to your usage. After you've typed all the letters of the alphabet several times each, it'll know how your wrists twist to get your thumbs to all the keys of whatever keyboard you're using, whether it's physical or onscreen.

Re:Swype

[HexaByte]

Better then that, we could all just start randomly moving our devices while typing our passwords, or dancing some hip-hop moves while doing so.

I don't think they'll be able to adjust for that!

Re:Swype

[Pat+Attack]

Brilliant! Obfuscation through too much data.

Re:Swype

[robmv]

long term better solution is that OS fields for passwords and PIN keypads disable applications access to motion sensor data. If you are custom drawing a password field and not using the OS provided one, add an API to hide motion sensor data when you need it

Re:Swype

[x1r8a3k]

as would restricting usage to those times when you're aboard a roller coaster.

That gives me an idea -- put in a more powerful vibrator and run it whenever a text field is active. I'm sure Google will pay millions for this!

Re:Swype

[camperdave]

All the more reason to use passfaces. Shows random faces, except one, in random locations. Tap on the face you recognize. Since the location of the key face is in a random position, the sensor data is also random.

Re:Swype

[markyosti]

eheh :-). Just jump while typing, that will do it.

Seriously, this reminds me of an article I've read a few days ago about software being able to guess the characters pressed on a keyboard by listening to the sound and interval of they keypresses.

Re:Swype

[Waldeinburg]

As I understand the article, the game has nothing to do with the alphabet. They assume your layout is an ordinary numpad-layout and let the user play an icon matching game: In a 3x4 icon grid, "tap to pick up paired icons". So the game will not work with a physical keyboard and will not detect non-standard layout.

Re:Swype

[MikeBabcock]

It wouldn't be that hard to introduce a system hook that requests a password from the user while disabling background data and sensors.

New Wave of Virus

[lipanitech]

This is the next wave in mobile malware it affects iPhone as well I guess no smart phone is safe. I guess they did not bother with blackberry. lol

Re:New Wave of Virus

Actually purely by coincidence this won't affect WP7, which doesn't allow apps to run in the background.

Re:New Wave of Virus

[SJHillman]

Blackberry is the OS/2 of the mobile world.

Re:New Wave of Virus

[noh8rz3]

No, the f a said the motion sensing algorithms would work in concept on an iPhone. But the malware vector doesn't exist, and the multitasking model would prevent this practice from running in the background. So, like all malware, this one is android only.

Re:New Wave of Virus

[PickyH3D]

WP7 does allow apps to run in the background. It does not allow apps to access certain APIs while running in the background, such as VOIP controls (e.g., Skype). That's not too dissimilar from what Apple does on iOS.

Re:New Wave of Virus

[SJHillman]

Ok, here's the comparison:

OS/2 was once great, but was a little ahead of its time so it ended up slowly fading away. It's still used and will likely be used for time to come even after support has completely dried up.

Blackberry was once great, but was a little ahead of the smartphone curve so now it's slowly fading away. It's still used and will likely be used for time to come even after support has completely dried up.

Re:New Wave of Virus

No, the f a said the motion sensing algorithms would work in concept on an iPhone. But the malware vector doesn't exist, and the multitasking model would prevent this practice from running in the background. So, like all malware, this one is android only.

Oh, right, because nobody jailbreaks their iPhone and sets it up to download apps from an alternative *couchcydiacough* store lacking Apple's QC oversight... gotcher malware vector right here, buddy -- dumb users running with system privileges they don't need clicking on the shiny, same as ever.

Re:New Wave of Virus

[recoiledsnake]

WP7 does allow apps to run in the background. It does not allow apps to access certain APIs while running in the background, such as VOIP controls (e.g., Skype). That's not too dissimilar from what Apple does on iOS.

With WP7, background tasks cannot run constantly like they can do on Android. The OS schedules them every 30 min(on battery and cellular data) or every 15 mins(on plugged in power and WiFi) or totally shut off (battery is low and the battery saver is enabled).

Re:New Wave of Virus

[X0563511]

... did you just expel a couch from your face? Ouch!

Re:New Wave of Virus

So, like all malware, this one is android only.

Retard alert.

Re:New Wave of Virus

No, the f a said the motion sensing algorithms would work in concept on an iPhone. But the malware vector doesn't exist, and the multitasking model would prevent this practice from running in the background. So, like all malware, this one is android only.

Gather 'round, slashdot. For future reference, THIS is Begging The Question. To everyone who has been using it wrong for the past umpteen years, please take notes. That is what a logical fallacy looks like.

Well, that's pretty clever

[jfengel]

According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

Re:Well, that's pretty clever

[YodasEvilTwin]

I always give pedos access to my vibration sensors.

Re:Well, that's pretty clever

[Lussarn]

Best way to defeat this would be to stop the sensors (for background apps) when the keyboard is up. But really, if you got some nasty trojan on there you got problems anyway, and password stealing by reading sensors is probably not the worst of them.

Re:Well, that's pretty clever

[m85476585]

Georgia Tech published something on this a while back.
http://www.gatech.edu/newsroom/release.html?nid=71506

Re:Well, that's pretty clever

[jeffmeden]

According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

The dead giveaway would be the app that keeps the motion sensors alive all the time crushing the battery usage stats on the phone. Not that many are bothered to check for such things, but its a dead giveaway that an app thats not supposed to be running is alive and doing nefarious things (especially if the motion driver is high on the usage list too).

So what you're saying is...

Any device with access to the motion sensors using a touchscreen running some software can theoretically do this, not just Android.

I'm not going to click on the link, but I'll be there's an i Fanboi authoring this article.

Re:So what you're saying is...

[ThunderBird89]

Not likely, the article makes a reference to the iPhone making accelerometer data available to unprivileged apps as well. The title probably stems from the fact that Android allowed this to be tested, while iPhone's lack of sideloading probably ruled out a proof-of-concept attack...

Re:So what you're saying is...

Or perhaps the guy developing the attach didn't feel like buying a Mac solely for the purpose of iOS app development.

Re:So what you're saying is...

[noh8rz3]

Yes, but for iPhone it would only work when you explicitly open the proof of concept app. It can't lurk in the background to grab your PINs

Re:So what you're saying is...

How exactly do you think devs test their iPhone apps?

Re:So what you're saying is...

Judging by the quality of some apps, it seems testing is done by releasing the app and wait for feedback from angry users.

I find this hard to believe

[ThunderBird89]

I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation. Also, if the phone is placed on the table to enter the passwords, most of the supposed motion is eliminated, significantly frustrating the attack.

Re:I find this hard to believe

[SJHillman]

It's not a perfect attack, but it doesn't need to be successful against every single user on every single phone. Most modern smartphones don't require physical abuse to register motion and most smartphone users don't put the phone down, put the password in, then pick it back up every single time. How about an analogy? Let's say there's a PC virus that exploits the wheel function of a USB mouse. Not every PC will have a USB mouse with a wheel, and even among those that do, not every user will use it. However, there's still enough vulnerable PCs that this theoretical virus could be highly successful.

Re:I find this hard to believe

[jeremyjo]

I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation.

The motion sensor is sending data, it's just that the application you're using doesn't have the the processing power to do anything about it right then. Luckily malware tends to be coded much more efficiently than desirable apps.

Re:I find this hard to believe

[x1r8a3k]

I just checked on my phone with the raw data from the sensors. If i put if flat on a table, they stay still, but just holding it it can detect the small changes of me just not being able to hold it perfectly still. It will even register if I leave one side on a table and raise the other side by about 1mm. I think the rotation thing is more smoothed out in software to prevent it changing too often.

Re:I find this hard to believe

[ThunderBird89]

True enough, I guess.
Although when I said 'tap', I really meant tapping the phone against the desk, usually cushioned by my finger, so the screen rotates, not slam it down.

I still have doubts about the sensitivity of the motion sensor. Based on a few quick scans from the Tricorder app, I couldn't pick out any spikes in the thermal noise from the sensor, apart from my hand shaking (which was apparently chaotic, so taps could not be inferred from the infrequent peaks).

Re:I find this hard to believe

[PickyH3D]

In the first case, that's if you do not have a very good motion sensor. In the second case, that's if you know that you need to try and avoid such an attack.

Re:I find this hard to believe

[SJHillman]

My phone (LG Optimus Slider, 6 months old) is probably too insensitive for it to register as well, but some of the higher end Android phones I've played with have shown an amazing level of sensitivity and accuracy. Within a year or two, that will likely trickle down to the lower end models so that all new smartphones are sensitive enough for this to work.

Re:I find this hard to believe

[ThunderBird89]

My Nexus S is usually pretty sensitive, reliably detecting acceleration as low as 0,1-0,01 m/s^2 (which seems to be still to little for this 'taplogging' to work). For some reason, it's only the screen rotation that seems to suffer from lag.

Re:I find this hard to believe

[X0563511]

The accelerometer can detect sudden accelerations much better than a steady one, such as gravity. Those sudden accelerations are exactly what you would get while "typing"

Re:I find this hard to believe

[salmonmoose]

I recall being able to buy monitor stands that converted your monitor into a touch-screen by using a similar technique - It doesn't shock me that the same can be done with phones.

Re:I find this hard to believe

[PuZZleDucK]

... also find it hard to believe that we can detect planets around stars which themselves are barely visible; or subatomic particles...

Couldn't have said it better myself.

Also if you find the above hard to believe then you're never going to believe this: http://gcn.com/articles/2011/10/18/smart-phone-sensors-steal-keystrokes.aspx.

We are...

[jfdavis668]

Penn State!

Re:We are...

[Entropius]

They are also an excellent research university, drunken antics and football-coach-kiddie-fiddling notwithstanding.

Easy enough to fix

[Baloroth]

Just don't allow programs in the background to have access to the motion sensors. Is there any actual reason a background program would need such information anyways? It sounds like they just allowed it because developers didn't realize it could give away sensitive details. Now they know, it can be restricted pretty easily, I should think.

And if you do have a program that actually needs the motion sensor information while not in the foreground, just have it ask for special permission.

Re:Easy enough to fix

[Scared+Rabbit]

Well that would certainly break the pedometer apps out there.

Re:Easy enough to fix

[CastrTroy]

Yes, but that would require that people actually be able to change permissions on what individual programs can access. I recently got an Android phone and find it quite laughable what kind of permissions some apps are asking for. Why does a tic-tac-toe game need access to my contact list, the internet (ok ads are one explanation), and my phone information (call information, when I make a call, who the call is to, my phone number etc)? I should be able to lock down my phone by default. There should be no reason I shouldn't explicitly be able to deny programs information to sensors and internal phone data and just send them empty data if they ask for it, so they don't crash. I liked this about my old Nokia phone a lot . It would frequently ask and reask when programs could access the network. It was a little bit of an annoyance, but at least I know I had control over what apps were doing. There's firewalls for the network that can be applied at the application level, but for me that isn't good enough. I immediately thought of a way around it in which one has access to your contact and phone history, and wrote the information out to the SD card, while another app which actually needed access to the network but didn't have access to the contact info (and therefore you were more likely to grant it net access) would read the same data off the SD card and send it over the internet. I can only think of a very limited set of applications that have access to contact lists and phone history. And really I would expect those apps to be built into the phone, not something you download from some random software maker.

Re:Easy enough to fix

[Entropius]

Seems like you could sanitize motion sensor information being passed to untrusted apps by reducing the resolution of the data to what's needed to determine which way is up to fix this. An app that wants high-resolution motion sensor info can ask for it.

Re:Easy enough to fix

[chowdahhead]

If you're rooted, there are apps on the market that allow you to manage permissions. Cyanogenmod includes this capability in the ROM itself. It would be a nice feature for stock Android to have, but I doubt that will happen.

Re:Easy enough to fix

[X0563511]

So? Pedometers are cheap. If you are not stationary, just use the GPS to determine distance/speed. If you are stationary, chances are the platform knows how "far" you have gone and how "fast" you are going.

If you're jogging in place... well, deal with it :P

Re:Easy enough to fix

[Scared+Rabbit]

I'm not sure how well the GPS is going to work inside the buildings I spend most of my day inside of. Having a pedometer on my phone seems to work much better than any pedometer that I've ever used in the past as it doesn't accidentally get reset, and I don't have to worry about clipping it somewhere just to have it count my steps.

Re:Easy enough to fix

[Morlenden]

The camera will also have to be disabled because tap-induced camera motion could be read that way.
It may also be possible to get tap position information from the microphone.

Re:Easy enough to fix

I use Setting Profiles, where it detects whether the phone is face up or face down. My default ring setting and notifications are to vibrate. When the phone is face up (typically not in my pocket), then it goes audible. When it is face down, it turns on extremely loud.

Re:Easy enough to fix

[PuZZleDucK]

... chances are the platform knows how "far" you have gone and how "fast" you are going...

Without the gyro/motion data I fail to see how it could work out these things.

Re:Easy enough to fix

[X0563511]

Then you didn't think very hard. If you are stationary then you are either jogging in place (nothing I can say about that, except perhaps start counting?) then you are on a machine with moving parts. The machines have sensors and "see" the metrics required to calculate it.

then we need to have a key randomizer

[Joe_Dragon]

so they can't say have pos 24,53 = h each time.

Franklin said it best.

Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

Re:Franklin said it best.

[Entropius]

This is just a further illustration of the basic idea that letting someone run arbitrary code on your system is a bad idea, and that access to external communications and sensors breaks sandboxing. Someone with the ability to turn on a webcam, for instance, can do all sorts of nefarious things, including seeing you type your password reflected in your glasses if it's high-enough resolution.

Re:Franklin said it best.

"That vulnerability is purely theoretical."

Re:Franklin said it best.

[PessimysticRaven]

Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

Yes... But he said liberty, not usability.

Re:Franklin said it best.

[h4rr4r]

So don't install their code. The flip side it that it is even worse if someone else gets to decide what arbitrary code is allowed to run on your system.

Re:Franklin said it best.

[masternerdguy]

So you'd rather not be able to install the occasional important program from beyond the market ("arbitrary code") to gain a small amount of security instead of just being careful what APK you choose to install? That's sad.

Re:Franklin said it best.

[Entropius]

No, it means that I am not going to install code without trusting where it came from. People are criticizing this as a vulnerability in Android -- it's not. It's just a demonstration that someone who wants to hurt you and can run code on your system can do so.

Re:Franklin said it best.

[Sigg3.net]

Wow, your technical knowledge is just amazing! You should try to get a job at one of those Crime Scene Investigations units.

Enhance!

Simple fix

[PPH]

Just have the password entry widget lock the accelerometer (or whatever) resource while in focus.

Re:Simple fix

[robmv]

That solves the PIN entry widget, malware could hypothetical capture passwords from password fields, so those fields need to be protected too. The problem remain with apps that don't use native toolkits, so to add an API that locks hardware devices that could be used to capture sensitive information is enough in an ideal world. In the real world many app developers will simply ignore to use it

Re:Simple fix

[PPH]

Expand the concept to include some set of resources that need to be locked when an entry field's 'secure' parameter is set to true. As new hacks are discovered, add them to that resource set.

Flog developers that don't adhere to programming/toolkit standards. Since this fraction approaches unity, this should satisfy the sadist in every PHB.

Fixing This Will Damage Science

[ScentCone]

We use the internal motion sensors on Android phones to provide all of the inertial navigation input we need to control the external thrusters on the capsules of the hihg altitude balloons we send up for biometric testing of the subjects inside. The subjects, usually kids about five years old, play Angry Birds and type out phrases of Shakespeare until they black out. If they disable background motion sensor use, it's possible we're going to lose more like 8 out of 10 kids we send up, instead of the usual 5 or 6. I can see already that we might have to go back to using spider monkeys, or those expensive parrots. Which means re-working the whole app, again. Man, science is hard.

Put down your phone?

[lajoyce]

Placing your phone on a table/counter/desk can save your data!

Re:Put down your phone?

[PuZZleDucK]

Did you even RTA? and your going to do this EVERY time you type sensitive data?

If so, try reading this one: http://gcn.com/articles/2011/10/18/smart-phone-sensors-steal-keystrokes.aspx

Re:Put down your phone?

[lajoyce]

My failed joke. Of course it's not going to save your phone, and if you're letting malware get on there in the first place then there's a chance that's not the only thing on your phone stealing your data.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

if u install any malware it's already too late

Once you install malware it's too late, it can just act as a key logger, it s doesn't need to read the sensor to find out your password.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

weird...

[Tastecicles]

...I've just watched an episode of NCIS where someone placed a bug in a computer keyboard that used subsonic acoustics to determine which key had been pressed... Hollywood science?

Re:weird...

[garyebickford]

It sounds plausible, maybe. I suppose it would depend on the type of keyboard, and might need to be trained for each keyboard. (Would all those bagel crumbs that fell in between the keys alter the acoustics?) It might be easier from outside the keyboard. Stranger things have been done - bouncing a laser off a window to pick up the sounds in a room (the vibration of the window modulates the laser beam); I think that sounds picked up through a wall have been used to place people inside the room, behind the wall.

I guess this is one for Mythbusters.

Re:weird...

http://it.slashdot.org/story/05/09/13/1644259/keyboard-sound-aids-password-cracking

Infrormation?

Infrormation?

Seriously?

The link says pdf. It doesn't link to a pdf. Am I the only one that gets annoyed about that?

Nothing new here

[Terry+Pearson]

There is nothing new here. You "could" potentially write a program that does a lot of things. The beauty of Android is that you essentially have a computer in the palm of your hand.

To those concerned that viruses will spread, research the Android permissions and security model. This model has not been broken. A user must give permission to the app first. Most users who are too stupid to read the permissions, are also too stupid to find alternative APK sources. So there is nothing to worry about. If you fall into the third category of users who read the permissions and blindly trust, well you knew what you were getting into.

I think that a lot of this "Android virus" propoganda is being put out by certain antivirus companies looking for a new revenue stream. They see Android as a cash cow in the future and they want to get people fearful of proof-of-concept malware and so-called viruses.