Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords

judgecorp writes "TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses information from the phone's motion sensor to deduce what keys the user has tapped (PDF), thus revealing otherwise-hidden information such as passwords and PINs."

yikes!

[noh8rz3]

We talk often about mobile viruses and I've become somewhat inured to it (another malware embedded in rogue angry birds? yawn). But this is scary, brave new world scary.

Re:yikes!

[kthreadd]

Not scary, open!

Re:yikes!

[hierophanta]

+1 good vocabulary

Re:yikes!

[tchuladdiass]

The reason this is significant is that apps are usually installed with limited access to items it doesn't need. So normally a bad app won't be able to steal passwords, or lift your address book, unless you give it permissions. This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.

Re:yikes!

[noh8rz3]

You mean, people who run any APK they find deserve to infect their friends and colleagues with nasty diseases? Cuz I can't say I agree with that sort of laissez fairs attitude. Surely in the name of public health we should expend a little effort helping those who won't help themselves.

Swype

[Pat+Attack]

I wonder if it would work on those of us who use a Swype keyboard. Then again, I do tap out my passwords. A thought: If you randomize the keyboard for password entries, that would make it harder to discern from malware like that and the over-the-shoulder attack.

Re:Swype

[x1r8a3k]

I have a slide out physical keyboard on my phone. I think thats the simplest way to defeat this.

Also this seems to only be able to get the location of taps and infer what you've typed. What if I'm using a non standard keyboard layout?

Re:Swype

[HexaByte]

Better then that, we could all just start randomly moving our devices while typing our passwords, or dancing some hip-hop moves while doing so.

I don't think they'll be able to adjust for that!

Re:Swype

[robmv]

long term better solution is that OS fields for passwords and PIN keypads disable applications access to motion sensor data. If you are custom drawing a password field and not using the OS provided one, add an API to hide motion sensor data when you need it

New Wave of Virus

[lipanitech]

This is the next wave in mobile malware it affects iPhone as well I guess no smart phone is safe. I guess they did not bother with blackberry. lol

Re:New Wave of Virus

[SJHillman]

Blackberry is the OS/2 of the mobile world.

Re:New Wave of Virus

[SJHillman]

Ok, here's the comparison:

OS/2 was once great, but was a little ahead of its time so it ended up slowly fading away. It's still used and will likely be used for time to come even after support has completely dried up.

Blackberry was once great, but was a little ahead of the smartphone curve so now it's slowly fading away. It's still used and will likely be used for time to come even after support has completely dried up.

Well, that's pretty clever

[jfengel]

According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

Re:Well, that's pretty clever

[YodasEvilTwin]

I always give pedos access to my vibration sensors.

I find this hard to believe

[ThunderBird89]

I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation. Also, if the phone is placed on the table to enter the passwords, most of the supposed motion is eliminated, significantly frustrating the attack.

Re:I find this hard to believe

[SJHillman]

It's not a perfect attack, but it doesn't need to be successful against every single user on every single phone. Most modern smartphones don't require physical abuse to register motion and most smartphone users don't put the phone down, put the password in, then pick it back up every single time. How about an analogy? Let's say there's a PC virus that exploits the wheel function of a USB mouse. Not every PC will have a USB mouse with a wheel, and even among those that do, not every user will use it. However, there's still enough vulnerable PCs that this theoretical virus could be highly successful.

Re:I find this hard to believe

[x1r8a3k]

I just checked on my phone with the raw data from the sensors. If i put if flat on a table, they stay still, but just holding it it can detect the small changes of me just not being able to hold it perfectly still. It will even register if I leave one side on a table and raise the other side by about 1mm. I think the rotation thing is more smoothed out in software to prevent it changing too often.

Easy enough to fix

[Baloroth]

Just don't allow programs in the background to have access to the motion sensors. Is there any actual reason a background program would need such information anyways? It sounds like they just allowed it because developers didn't realize it could give away sensitive details. Now they know, it can be restricted pretty easily, I should think.

And if you do have a program that actually needs the motion sensor information while not in the foreground, just have it ask for special permission.

Re:Easy enough to fix

[Scared+Rabbit]

Well that would certainly break the pedometer apps out there.

Re:Easy enough to fix

[CastrTroy]

Yes, but that would require that people actually be able to change permissions on what individual programs can access. I recently got an Android phone and find it quite laughable what kind of permissions some apps are asking for. Why does a tic-tac-toe game need access to my contact list, the internet (ok ads are one explanation), and my phone information (call information, when I make a call, who the call is to, my phone number etc)? I should be able to lock down my phone by default. There should be no reason I shouldn't explicitly be able to deny programs information to sensors and internal phone data and just send them empty data if they ask for it, so they don't crash. I liked this about my old Nokia phone a lot . It would frequently ask and reask when programs could access the network. It was a little bit of an annoyance, but at least I know I had control over what apps were doing. There's firewalls for the network that can be applied at the application level, but for me that isn't good enough. I immediately thought of a way around it in which one has access to your contact and phone history, and wrote the information out to the SD card, while another app which actually needed access to the network but didn't have access to the contact info (and therefore you were more likely to grant it net access) would read the same data off the SD card and send it over the internet. I can only think of a very limited set of applications that have access to contact lists and phone history. And really I would expect those apps to be built into the phone, not something you download from some random software maker.

Re:Easy enough to fix

[X0563511]

So? Pedometers are cheap. If you are not stationary, just use the GPS to determine distance/speed. If you are stationary, chances are the platform knows how "far" you have gone and how "fast" you are going.

If you're jogging in place... well, deal with it :P

Franklin said it best.

Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

Re:Franklin said it best.

[Entropius]

This is just a further illustration of the basic idea that letting someone run arbitrary code on your system is a bad idea, and that access to external communications and sensors breaks sandboxing. Someone with the ability to turn on a webcam, for instance, can do all sorts of nefarious things, including seeing you type your password reflected in your glasses if it's high-enough resolution.

Re:Franklin said it best.

[h4rr4r]

So don't install their code. The flip side it that it is even worse if someone else gets to decide what arbitrary code is allowed to run on your system.

Simple fix

[PPH]

Just have the password entry widget lock the accelerometer (or whatever) resource while in focus.

Re:Simple fix

[robmv]

That solves the PIN entry widget, malware could hypothetical capture passwords from password fields, so those fields need to be protected too. The problem remain with apps that don't use native toolkits, so to add an API that locks hardware devices that could be used to capture sensitive information is enough in an ideal world. In the real world many app developers will simply ignore to use it

Fixing This Will Damage Science

[ScentCone]

We use the internal motion sensors on Android phones to provide all of the inertial navigation input we need to control the external thrusters on the capsules of the hihg altitude balloons we send up for biometric testing of the subjects inside. The subjects, usually kids about five years old, play Angry Birds and type out phrases of Shakespeare until they black out. If they disable background motion sensor use, it's possible we're going to lose more like 8 out of 10 kids we send up, instead of the usual 5 or 6. I can see already that we might have to go back to using spider monkeys, or those expensive parrots. Which means re-working the whole app, again. Man, science is hard.