IE 11 is not supported. For an optimal experience visit our site on another browser.

Android Trojan could steal data by monitoring phone movement

Number pad on an Android device
Devin Coldewey /

Your data is always vulnerable to being stolen or hacked, but sometimes the ways in which it is vulnerable can be quite surprising. Determining keystrokes based on phone vibration and movement is the latest ingenious method of parting a device and its data.

The culprit is a new Trojan horse program, tame as it were, created by security researchers at Pennsylvania State University. It takes advantage of a flaw in Google's Android mobile operating system that lets background apps monitor the device's sensors -- like the accelerometer, which detects movement and orientation.

The malicious app, which it should be noted is not in the wild, first "trains" by getting the user to put in numbers on the keypad within the app, and logs the vibration patterns created by tapping on different numbers. And then, when the user is putting in passwords or card data elsewhere, the app continues to listen in to those vibrations, matching them to different numbers.

It's further proof that security isn't just a matter of keeping your files encrypted and your password secret. As the things our devices are capable of multiply, so do the vulnerabilities they have. Innovative and unexpected means of circumventing security measures are the rule, not the exception.

TapLogger, as the app is called, was described (PDF) at a conference as a proof of concept by Zhi Xu, a graduate student at PSU, and two other researchers. Google has not responded to questions regarding the vulnerability, but this article will be updated if and when they do.

Update: Google does not have a specific response regarding this app, but emphasized that they are always actively policing the app store for apps that, like this one, abuse the permissions that they are given by users.

Devin Coldewey is a contributing writer for His personal website is .