All the latest UK technology news, reviews and analysis

TapLogger Android Trojan cracks touchscreen passwords using handset movements

17 Apr 2012
Google Android logo

A team of security researchers have developed an Android-based Trojan capable of discerning a user's screen lock code using the on-board accelerometers to detect small shifts that result from pressing the touchscreen.

The Trojan, nicknamed TapLogger, was shown to be able to crack passwords of four, six and eight digits, comprising of the numbers between zero and nine.

When held in a user's hand, smartphones will make small movements each time the user touches a part of the screen.

The researchers were able to teach TapLogger to recognise how different movements corresponded to different digits being pressed on the password screen.

The system, developed by Zhi Xu and Sencun Zhu, computer scientists at Pennsylvania State University, along with Jun Bai of IBM's Watson Research Centre in New York, is capable of running in the background and transmitted stored passwords to an attacker.

As well as stealing screen lock credentials, TapLogger is able to record numbers typed during telephone calls, potentially enabling it to steal telephone numbers or even credit card details.

The researchers designed TapLogger to run on Android-based handset because of its popularity. 

But they noted it would be possible to create alternatives for iOS and BlackBerry handsets, because like Android, those systems do not require security permissions to access the accelerometer and orientation sensors used in the attack.

"The fundamental problem here is that sensing is unmanaged on existing smartphone platforms," said the researchers.

The Trojan was designed to be installed on Android handsets by masquerading as a benign icon-matching game. In fact this game provided the training ground for TapLogger, by teaching how the phone responded to presses on the screen using a known set of positions.

That also ensured TapLogger was effective for Android phones with different screen sizes.

Furthermore, TapLogger was designed to only run when the handset was active, minimising the drain on the battery, and therefore increasing the likelihood that it would remain undetected.

TapLogger was developed as a proof of concept and, according to the researchers, to highlight the need for smartphones to require security permissions before apps were able to access on-board sensor data, such as accelerometers.

TapLogger is being demonstrated at the Security and Privacy in Wireless and Mobile Networks conference in Tuscan, Arizona on Tuesday.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?

Popular Threads

Powered by Disqus
V3 Security Summit

V3 Security Summit Day 2: Botnet, skills and BYOD intelligence incoming

Keep V3 bookmarked for news updates on all the key security concerns and topics facing businesses

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Software Engineers - L2/L3 SDN, NFV, C++

We have requirment for Software Engineers for one of...

Retail Banking Business Analyst

Retail Banking Business Analyst My client's start...

SharePoint Junior Developer

Role summary The SharePoint Developer will take an...

IT Business Analyst

We are looking for a switched on and experienced IT Business...
To send to more than one email address, simply separate each address with a comma.