Even if you're careful about security when you use phones and other devices, there are still risks you might not be aware of. Security researchers regularly find new threats that could allow malicious actors to access your personal data.

One unexpected source of security vulnerabilities is the motion sensor smartphones have embedded in their hardware. These sensors are designed to detect when the phone is moving and have many legitimate uses. But they can also be misused, as we'll show you.

1. Apps That Gather Audio Data From Your Motion Sensor

Android Motion Sensor Security Risk - phone speaker

Security researchers recently demonstrated a scary vulnerability in Android phones. The attack, called Spearphone, is able to capture loudspeaker data. As a result, it could potentially eavesdrop on conversations that you have while your phone is nearby. It makes use of the motion sensor's accelerometer, which measure acceleration and the tilt or rotation of your device. Location apps like Google Maps use the accelerometer to determine your position.

Spearphone works by turning this component into a kind of microphone. The accelerometer is placed on the same plane as a phone's loudspeaker, which allows it to pick up reverberations caused by speech. When someone uses their phone in speaker mode, or interacts with a smartphone assistant like Google Assistant, the accelerometer can capture the speech reverberations. After this, the attacker can forward on the recordings to the attacker's server.

Via arXiv, the researchers who discovered the flaw proved how it would work by creating a malicious Android app. Then they tested the app on devices including an LG G3, Samsung Galaxy S6, and Samsung Galaxy Note 4. This app could record speech using the accelerometer, send these recordings to a server the researchers controlled, then analyze the recordings automatically using machine learning software.

Using data collected in this manner, the researchers were able to identify the speaker's gender in 90 percent of cases, and correctly identified the speaker 80 percent of the time.

2. Apps That Use Motion Sensor Data to Hide

Another cunning way that malware can make use of motion sensors is to hide its true purpose. As reported by Trend Micro, a different group of security researchers discovered two Android apps doing this. The apps, Currency Converter and BatterySaverMobi, appeared as useful tools for converting currency and monitoring your phone's battery life. But in fact, they hid a piece of banking malware called Anubis, which steals credit card data and online banking logins.

These apps took advantage of the motion sensor to evade detection. When security researchers look for malware, they generally run tests on a virtual operating system hosted on a computer. This means that the motion sensors don't detect any motion during testing. On the other hand, when a real user installs an app on a phone, they usually carry their phone around with them. Obviously, this generates a lots of motion, which the sensors pick up on.

The malicious apps in question checked for motion using the motion sensor. If they found no motion, they assumed that the app was being tested and did not deploy any malicious code, so security researchers would not find anything suspicious. But when a real user installed one of the apps and started moving around, the app would turn the malware on and could start stealing their data.

3. Apps That Use Motion Sensor Data to Fingerprint You

Android Motion Sensor Security Risk - fingerprinting
Vector illustration of identification of fingerprint on smartphone.

Another security issue you may have heard about is browser fingerprinting. This is when data from your computer and browser is used to identify and track you. For example, it can work by looking at the different browser extensions you have installed and which fonts you have on your computer. This data can be used to build up a unique picture of you and follow you around the internet.

Both Android and iOS devices are vulnerable to a similar technique that utilizes their motion sensors. Using a technique called SensorID, it's possible to create a fingerprint using gyroscope and magnetometer sensor data from your phone. These sensors are calibrated in a unique way for each user, which means they can identify you. If apps or websites have permission to access your motion sensors, they can follow you as you use the internet.

This technique works even if you take security precautions like using a VPN or swapping to a different browser. Scarily, it persists after performing a factory reset on your phone. This is because the calibration fingerprint of your motion sensors never changes. It's a fast attack as well, taking "less than one second to generate a fingerprint" according to the researchers.

How to Protect Yourself From Apps That Abuse Motion Sensor Data

These attacks are difficult to secure against. However, there are some steps you can take to protect yourself from security risks that abuse your phone's motion sensor.

Look at Required Permissions Before Installing a New App

Android Motion Sensor Security Risk - App Permissions

First, be careful when granting app permissions. When you install an app from the Play Store, it will ask you for permission to use various functions on your phone. For example, a camera app will ask for permission to access your phone's camera.

Many users agree to app permissions without really looking at them. But this can be a security risk. Next time you install an app, check what permissions it requires. If it asks for permission to use your phone's motion sensors, think about why it would need that. If there's no legitimate reason for the app to access the motion sensor, don't install it.

Physically Protect Your Phone's Speakers

Second, if you are really concerned about your motion sensors being misused to overhear your conversations, you can take more direct action. You could add vibration-dampening material around the phone's speakers to prevent the motion sensor picking up reverberations.

Alternatively, avoid leaving your phone on a hard flat surface like a tabletop when using the speaker. This should prevent the accelerometer from picking up sound information.

Keep Your Phone's OS Up-to-Date

To protect against fingerprinting, your best bet is to make sure your phone's operating system is up-to-date, as the issue has been addressed in operating systems like iOS 12.2. Google is aware of the issue and is working to update Android systems to protect them.

Your Android Phone Can Pose a Security Risk

Watch out for the clever ways that phone apps can steal your data, including by using the motion sensors. Some of these issues are hard for individuals to protect against. So you should always make sure your Android phone is up to date and secure.