New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions.

The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels.

Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone’s loudspeakers without requiring any device permission.

Abusing Android Accelerometer to Capture Loudspeaker Data

Dubbed Spearphone, the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions.

An accelerometer is a motion sensor that lets apps monitor the movement of a device, such as tilt, shake, rotation, or swing, by measuring the time rate of change of velocity with respect to magnitude or direction.

Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.

Discovered by a team of security researchers—Abhishek Anand, Chen Wang, Jian Liu, Nitesh Saxena, Yingying Chen—the attack can be triggered when the victim either places a phone or video call on the speaker mode, or attempts to listen to a media file, or interacts with the smartphone assistant.

As a proof-of-concept, researchers created an Android app, which mimics the behavior of a malicious attacker, designed to record speech reverberations using the accelerometer and send captured data back to an attacker-controlled server.

Researchers say the remote attacker could then examine the captured readings, in an offline manner, using signal processing along with “off-the-shelf” machine learning techniques to reconstruct spoken words and extract relevant information about the intended victim.

Spearphone Attack: Spy On Calls, Voice Notes, and Multimedia

According to the researchers, the Spearphone attack can be used to learn about the contents of the audio played by the victim—selected from the device gallery over the Internet, or voice notes received over the instant messaging applications like WhatsApp.

“The proposed attack can eavesdrop on voice calls to compromise the speech privacy of a remote end-user in the call,” the researchers explain.

“Personal information such as social security number, birthday, age, credit card details, banking account details, etc. consist mostly of numerical digits. So, we believe that the limitation of our dataset size should not downplay the perceived threat level of our attack.”

Researchers also tested their attack against phone’s smart voice assistants, including Google Assistant and Samsung Bixby, and successfully captured response (output results) to a user query over the phone’s loudspeaker.

The researchers believe that by using known techniques and tools, their Spearphone attack has “significant value as it can be created by low-profile attackers.”

Besides this, Spearphone attack can also be used to simply determine some other user’s speech characteristics, including gender classification, with over 90% accuracy, and speaker identification, with over 80% accuracy.

“For example, an attacker can learn if a particular individual (a person of interest under surveillance by law enforcement) was in contact with the phone owner at a given time,” the researchers say.

Nitesh Saxena also confirmed The Hacker News that the attack can not be used to capture targeted users’ voice or their surroundings because “that is not strong enough to affect the phone’s motion sensors, especially given the low sampling rates imposed by the OS,” and thus also doesn’t interfere with the accelerometer readings.

For more details, we encourage our readers to head onto the full research paper [PDF], titled “Spearphone: A Speech Privacy Exploit via Accelerometer-Sensed Reverberations from Smartphone Loudspeakers.”

The paper also discussed some possible mitigation techniques that may help prevent such attacks, as well as a few limitations, including low sampling rate and variation in maximum volume and voice quality of different phone that could negatively impact the accelerometer readings.

In a previous report, we also explained how malware apps were found using motion-sensors of infected Android devices to avoid detection by monitoring if the device is running in a run emulator or belongs to a legitimate user with movements.