ARS Technica reports computer scientists have devised a way to capture passwords on Android by interpreting movements via a devices' motion sensor. Access to the motion sensor is available without restriction in Android, so the researchers came up with a way to exploit this weakness and published TapLogger, a proof-of-concept Trojan that monitors readings returned by a phone's accelerometer, gyroscope and orientation sensors:
TapLogger, as their proof-of-concept application for phones running Google's Android operating system is called, masquerades as a benign game that challenges the end user to identify identical icons from a collection of similar-looking images. In the background, the trojan monitors readings returned by the phone's built-in accelerometer, gyroscope, and orientation sensors to infer phone numbers and other digits entered into the device. This then surreptitiously uploads them to a computer under the control of the attackers.
Based in part on a similar smartphone keylogger called TouchLogger demonstrated last year, TapLogger exploits a design weakness in Android that allows all installed apps free access to motion sensor readings. Because similar permission systems are found in Research in Motion's Blackberry OS, there's nothing stopping similar apps from targeting Blackberries according to researchers (Jailbroken iOS devices are also vulnerable.)
"The fundamental problem here is that sensing is unmanaged on existing smartphone platforms," Zhi Xu, a PhD candidate in the Pennsylvania State University's Department of Computer Science and Engineering, wrote in an email to Ars. "TapLogger shows that those unmanaged 'insensitive sensors' can really be used to infer very sensitive user information (e.g. passwords and PIN numbers). Inspired by TapLogger, we believe that more and more sensor-based attackers will be introduced in the near future."