A team of security researchers have developed an Android-based Trojan capable of discerning a user's screen lock code using the on-board accelerometers to detect small shifts that result from pressing the touchscreen.
The Trojan, nicknamed TapLogger, was shown to be able to crack passwords of four, six and eight digits, comprising of the numbers between zero and nine.
When held in a user's hand, smartphones will make small movements each time the user touches a part of the screen.
The researchers were able to teach TapLogger to recognise how different movements corresponded to different digits being pressed on the password screen.
The system, developed by Zhi Xu and Sencun Zhu, computer scientists at Pennsylvania State University, along with Jun Bai of IBM's Watson Research Centre in New York, is capable of running in the background and transmitted stored passwords to an attacker.
As well as stealing screen lock credentials, TapLogger is able to record numbers typed during telephone calls, potentially enabling it to steal telephone numbers or even credit card details.
The researchers designed TapLogger to run on Android-based handset because of its popularity.
But they noted it would be possible to create alternatives for iOS and BlackBerry handsets, because like Android, those systems do not require security permissions to access the accelerometer and orientation sensors used in the attack.
"The fundamental problem here is that sensing is unmanaged on existing smartphone platforms," said the researchers.
The Trojan was designed to be installed on Android handsets by masquerading as a benign icon-matching game. In fact this game provided the training ground for TapLogger, by teaching how the phone responded to presses on the screen using a known set of positions.
That also ensured TapLogger was effective for Android phones with different screen sizes.
Furthermore, TapLogger was designed to only run when the handset was active, minimising the drain on the battery, and therefore increasing the likelihood that it would remain undetected.
TapLogger was developed as a proof of concept and, according to the researchers, to highlight the need for smartphones to require security permissions before apps were able to access on-board sensor data, such as accelerometers.
TapLogger is being demonstrated at the Security and Privacy in Wireless and Mobile Networks conference in Tuscan, Arizona on Tuesday.