When using phones and other devices and you care about your security, there are still risks you might not be aware of. Security researchers regularly find new threats that could allow malicious actors to access your personal data. One of the unexpected source of security vulnerabilities is the motion sensor smartphones have embedded in their hardware. These sensors are designed to detect when the phone is moving and have many legitimate uses. But they can also be misused, as we will show you the security risks of Android motion sensor.
What Motion Sensor Is
The Android platform provides several sensors that let you monitor the motion of a device. Two of these sensors are always hardware-based (the accelerometer and gyroscope), and three of these sensors can be either hardware-based or software-based (the gravity, linear acceleration, and rotation vector sensors). For example, on some devices the software-based sensors derive their data from the accelerometer and magnetometer, but on other devices they may also use the gyroscope to derive their data. Most Android-powered devices have an accelerometer, and many now include a gyroscope. The availability of the softare-based sensors is more variable because they often rely on one or more hardware sensors to derive their data.
Motion sensors are useful for monitoring device movement, such as tilt, shake, rotation, or swing. The movement is usually a reflection of direct user input (for example, a user steering a car in a game or a user controlling a ball in a game), but it can also be a reflection of the physical environment in which the device is sitting (for example, moving with you while you drive your car). In the first case, you are monitoring motion relative to the device’s frame of reference or your application’s frame of reference; in the second case you are monitoring motion relative to the world’s frame of reference. Motion sensors by themselves are not typically used to monitor device position, but they can be used with other sensors, such as the geomagnetic field sensor, to determine a device’s position relative to the world’s frame of reference.
Android Motion Sensor Security Risks
1. Gathering Audio Data From Your Android Motion Sensor
Security researchers recently demonstrated a scary vulnerability in Android phones. The attack, called Spearphone, is able to capture loudspeaker data. As a result, it could potentially eavesdrop on conversations that you have while your phone is nearby. It makes use of the Android motion sensor’s accelerometer, which measure acceleration and the tilt or rotation of your device. Location apps like Google Maps use the accelerometer to determine your position.
Spearphone works by turning this component into a kind of microphone. The accelerometer is placed on the same plane as a phone’s loudspeaker, which allows it to pick up reverberations caused by speech. When someone uses their phone in speaker mode, or interacts with a smartphone assistant like Google Assistant, the accelerometer can capture the speech reverberations. After this, the attacker can forward on the recordings to the attacker’s server.
Via arXiv, the researchers who discovered the flaw proved how it would work by creating a malicious Android app. Then they tested the app on devices including an LG G3, Samsung Galaxy S6, and Samsung Galaxy Note 4. This app could record speech using the accelerometer, send these recordings to a server the researchers controlled, then analyze the recordings automatically using machine learning software.
Using data collected in this manner, the researchers were able to identify the speaker’s gender in 90 percent of cases, and correctly identified the speaker 80 percent of the time.
2. Apps That Use Android Motion Sensor Data to Hide
Another cunning way that malware can make use of motion sensors is to hide its true purpose. As reported by Trend Micro, a different group of security researchers discovered two Android apps doing this. The apps, Currency Converter and BatterySaverMobi, appeared as useful tools for converting currency and monitoring your phone’s battery life. But in fact, they hid a piece of banking malware called Anubis, which steals credit card data and online banking logins.
These apps took advantage of the motion sensor to evade detection. When security researchers look for malware, they generally run tests on a virtual operating system hosted on a computer. This means that the motion sensors don’t detect any motion during testing. On the other hand, when a real user installs an app on a phone, they usually carry their phone around with them. Obviously, this generates a lots of motion, which the sensors pick up on.
The malicious apps in question checked for motion using the motion sensor. If they found no motion, they assumed that the app was being tested and did not deploy any malicious code, so security researchers would not find anything suspicious. But when a real user installed one of the apps and started moving around, the app would turn the malware on and could start stealing their data.
3. Apps That Use Android Motion Sensor Data to Fingerprint You
Browser fingerprinting is another security issue you may have heard about. This is when data from your computer and browser is used to identify and track you. For example, it can work by looking at the different browser extensions you have installed and which fonts you have on your computer. This data can be used to build up a unique picture of you and follow you around the internet.
Both Android and iOS devices are vulnerable to a similar technique that utilizes their motion sensors. Using a technique called SensorID, it’s possible to create a fingerprint using gyroscope and magnetometer sensor data from your phone. These sensors are calibrated in a unique way for each user, which means they can identify you. If apps or websites have permission to access your motion sensors, they can follow you as you use the internet.
This technique works even if you take security precautions like using a VPN or swapping to a different browser. Scarily, it persists after performing a factory reset on your phone. This is because the calibration fingerprint of your motion sensors never changes. It’s a fast attack as well, taking “less than one second to generate a fingerprint” according to the researchers.
How Can You be Protected From Apps That Abuse Android Motion Sensor Data
These attacks are difficult to secure against. However, there are some steps you can take to protect yourself from security risks that abuse your phone’s motion sensor.
Look at Required Permissions Before Installing a New App
At first, you need to be careful when granting app permissions. When you install an app from the Play Store, it will ask you for permission to use various functions on your phone. For example, a camera app will ask for permission to access your phone’s camera.
Many users agree to app permissions without really looking at them. But this can be a security risk. Next time you install an app, check what permissions it requires. If it asks for permission to use your phone’s motion sensors, think about why it would need that. If there’s no legitimate reason for the app to access the motion sensor, don’t install it.
Protect Your Phone’s Speakers Physically
Second, if you are really concerned about your motion sensors being misused to overhear your conversations, you can take more direct action. You could add vibration-dampening material around the phone’s speakers to prevent the motion sensor picking up reverberations.
Alternatively, avoid leaving your phone on a hard flat surface like a tabletop when using the speaker. This should prevent the accelerometer from picking up sound information.
Update Your Phone’s OS Permanently
To protect against fingerprinting, your best bet is to make sure your phone’s operating system is up-to-date, as the issue has been addressed in operating systems like iOS 12.2. Google is aware of the issue and is working to update Android systems to protect them.
Your Android Phone Can Pose a Security Risk
By reading this article you saw the clever ways that phone apps can steal your data, including by using the motion sensors. Also there are so many other ways through which they can access your personal information. Some of these issues are hard for individuals to protect against. So you should always make sure your Android phone is up to date and secure. Always be aware of the malicious software and hackers around yourself and try to keep yourself safe and secure.
