Tapped for information (Image: M. THE slight movements of your smartphone every time you tap on the touchscreen could be giving away what you are typing.
Eavesdropping on a computer user's keyboard input is called keylogging. Often the culprit is software that runs invisibly, tracking what you type and reporting back to the attacker who installed it - making it easy to steal passwords or bank details.
Keylogging is much harder to pull off on smartphones because most mobile operating systems allow only whatever app is on screen to access what you are typing, says security researcher Hao Chen of the University of California, Davis.
However, Chen and his colleague Liang Cai have got around that hurdle and created a keylogger that runs on Android smartphones. It uses the phone's motion sensors to detect vibrations from tapping the screen. Since mobile operating systems do not treat the motion-sensor output as private or in need of protection, it presents a target for hackers wanting to create an innocent-looking app that secretly monitors phone users.
Chen's keylogger does not have to be visible on screen to sense the phone's horizontal and vertical movements. It calculates which key of the virtual keyboard the user has tapped based on how the phone jiggles in response. The app correctly guesses over 70 per cent of keystrokes on a virtual numerical keypad like those in calculator apps, the pair say.
Chen believes the technique will work on a full alphanumeric keyboard, too, but says that it will probably be less accurate. "However, we expect accuracy to be higher on a tablet device," he says, because the tablet's larger dimensions would accentuate its movements as the user taps the screen. He will present the work at the HotSec conference in San Francisco, California, next week.
Chen says criminals could already be using touchscreen keyloggers, though he hasn't seen one yet. Martin Lee of the computer security firm Symantec says the keylogger is a neat idea, but he points out that there are much simpler ways to get at private information, such as phishing attacks that fool people into revealing their details. Still, he warns that mobile-phone malware is an emerging threat. "I'm sure this isn't the last time we'll see a phone system being used against its owner," he says.