The app developers attempt multiple ways to collect location data, phone identifiers and MAC addresses of the users. A team of cybersecurity researchers has successfully demonstrated a new side-channel attack that lets malicious apps to eavesdrop on the voice from the smartphone’s loudspeakers without requiring any device permission.
Abusing Android Accelerometer to Capture Loudspeaker Data
The new attack which has been dubbed Spearphone make use of the hardware-based motion sensor, called an accelerometer, which is built in almost all the Android devices and it can be accessed by any app installed on a device without any restriction or permissions.
An accelerometer is a motion sensor that allows the apps to observe the movement of a device, such as tilt, shake, rotation, or swing, by measuring the time rate of change of velocity with respect to magnitude or direction.
Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, when the loudspeaker is enabled, it creates surface-borne and aerial speech reverberations in the body of the smartphone.
According to the security researchers Abhishek Anand, Chen Wang, Jian Liu, Nitesh Saxena and Yingying Chen, the attack gets initiated when the victim either puts a phone or video call on the speaker mode, or listens to a media file, or interacts with the smartphone assistant.
The researchers created an Android app as a proof-of-concept that mimics the behavior of a malicious attacker, designed to record speech reverberations using the accelerometer and send captured data back to an attacker-controlled server.
The remote attacker could then examine the captured readings offline using signal processing along with “off-the-shelf” machine learning techniques to reconstruct spoken words and take out relevant information about the victim.
The researchers state that the Spearphone attack is done to collect the contents of the audio played by the victim which is selected from the device gallery over the Internet, or voice notes received over the instant messaging apps like WhatsApp.
Researchers also tested the attack against phone’s smart voice assistants, including Google Assistant and Samsung Bixby, and successfully captured response to a user query over the phone’s loudspeaker.
The researchers believe that the Spearphone attack has notable value because it can be created by low-profile attackers. The attack can also be used to determine the user’s speech characteristics, including gender classification, with over 90% accuracy, and speaker identification, with over 80% accuracy.
The researcher claimed that the attack cannot be used to capture targeted users’ voice as it is not strong enough to affect the phone’s motion sensors.
More details regarding the attack can be found on the research paper titled “Spearphone: A Speech Privacy Exploit via Accelerometer-Sensed Reverberations from Smartphone Loudspeakers.” The possible mitigation techniques to prevent such attacks and also some limitations that could negatively impact the accelerometer readings are discussed in it.