Ahmed Najeeb,Abdul Rafay,Naveed Anwar Bhatti,Muhammad Hamad Alizai

2024-09-25

Abstract:The increasing use of voice assistants and related applications has raised significant concerns about the security of Inertial Measurement Units (IMUs) in smartphones. These devices are vulnerable to acoustic eavesdropping attacks, jeopardizing user privacy. In response, Google imposed a rate limit of 200 Hz on permission-free access to IMUs, aiming to neutralize such side-channel attacks. Our research introduces a novel exploit, STAG, which circumvents these protections. It induces a temporal misalignment between the gyroscope and accelerometer, cleverly combining their data to resample at higher rates and reviving the potential for eavesdropping attacks previously curtailed by Google's security enhancements. Compared to prior methods, STAG achieves an 83.4% reduction in word error rate, highlighting its effectiveness in exploiting IMU data under restricted access and emphasizing the persistent security risks associated with these sensors.

Cryptography and Security

Rui Ning,Cong Wang,ChunSheng Xin,Jiang Li,Hongyi Wu

DOI: https://doi.org/10.1016/j.pmcj.2019.101106

IF: 3.848

2020-01-01

Pervasive and Mobile Computing

Abstract:In this paper, we report a newfound vulnerability on smartphones due to the malicious use of unsupervised sensor data. We demonstrate that an attacker can train deep Convolutional Neural Networks (CNN) by using magnetometer or orientation data to effectively infer the Apps and their usage information on a smartphone with an accuracy of over 80%. Furthermore, we show that such attacks can become even worse if sophisticated attackers exploit motion sensors to cluster the magnetometer or orientation data, improving the accuracy to as high as 98%. To mitigate such attacks, we propose a noise injection scheme that can effectively reduce the App sniffing accuracy to only 15% and at the same time has negligible effect on benign Apps.

Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Hao Pan,Feitong Tan,Wenhao Li,Yi-Chao Chen,Lanqing Yang,Guangtao Xue,Xiaoyu Ji

DOI: https://doi.org/10.1109/secon55815.2022.9918604

2022-01-01

Abstract:This study reveals that on-board hardware modules leak electromagnetic (EM) emissions whenever audio or camera data is accessed, and proposes Magdefender scheme that explores the possibility of using the magnetometer built into mobile devices to detect eavesdropping instances by malicious apps and even the unscrupulous phone vendors. However, the target EM signals generated by accessing multimedia data is weak and tends to be buried beneath other noisy EM signals from apps running in the foreground. It is also subject to the external interference from geomagnetic signals generated by the device movement. To cope with the challenges, we adopt a generative adversarial networks (GAN) based model to facilitate the extraction of target EM signals indicating the occurrence of eavesdropping from the overall magnetometer readings. We also develop a neural network-based classifier with triplet loss embedding to identify the EM signals from the camera and/or microphones. Empirical results demonstrate the efficacy of MagDefenderin recognizing instances of eavesdropping on cameras/microphones data, with average accuracy of 97.3% when applied to the trained devices, and average 91.5% on unseen mobile devices.

Ming Gao,Yajie Liu,Yike Chen,Yimin Li,Zhongjie Ba,Xian Xu,Jinsong Han

DOI: https://doi.org/10.1109/infocom48880.2022.9796890

2022-01-01

Abstract:IMU-based eavesdropping has brought growing concerns over smartphone users’ privacy. In such attacks, adversaries utilize IMUs that require zero permissions for access to acquire speeches. A common countermeasure is to limit sampling rates (within 200 Hz) to reduce overlap of vocal fundamental bands (85-255 Hz) and inertial measurements (0-100 Hz). Nevertheless, we experimentally observe that IMUs sampling below 200 Hz still record adequate speech-related information because of aliasing distortions. Accordingly, we propose a practical side-channel attack, InertiEAR, to break the defense of sampling rate restriction on the zero-permission eavesdropping. It leverages IMUs to eavesdrop on both top and bottom speakers in smartphones. In the InertiEAR design, we exploit coherence between responses of the built-in accelerometer and gyroscope and their hardware diversity using a mathematical model. The coherence allows precise segmentation without manual assistance. We also mitigate the impact of hardware diversity and achieve better device-independent performance than existing approaches that have to massively increase training data from different smartphones for a scalable network model. These two advantages re-enable zero-permission attacks but also extend the attacking surface and endangering degree to off-the-shelf smartphones. InertiEAR achieves a recognition accuracy of 78.8% with a cross-device accuracy of up to 49.8% among 12 smartphones.

Ming Gao,Yajie Liu,Yike Chen,Yimin Li,Zhongjie Ba,Xian Xu,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2022.3193130

2023-01-01

Abstract:Eavesdropping via inertial measurement units (IMUs) has brought growing concerns over smartphone users’ privacy. In such attacks, adversaries utilize IMUs, including accelerometers and gyroscopes, which require zero permissions for access to acquire speeches. A common countermeasure is to limit sampling rates (within 200 Hz) to reduce overlap of vocal fundamental bands (85 $\sim$ 255 Hz) and inertial measurements (0 $\sim$ 100 Hz). Nevertheless, we observe that IMUs sampling below 200 Hz still record adequate speech-related information because of aliasing distortions. Accordingly, we propose a practical side-channel attack, namely InertiEAR , to break the defense of sampling rate restriction on the zero-permission eavesdropping. It leverages accelerometers and gyroscopes jointly to eavesdrop on both top and bottom speakers in smartphones. We exploit coherence between responses of the built-in accelerometer and gyroscope using a mathematical model. The coherence allows precise segmentation without manual assistance. We also mitigate the impact of hardware diversity and achieve better device-independent performance than existing approaches that have to massively increase training data from different smartphones for a scalable network model. These two advantages re-enable zero-permission attacks but also extend the attacking surface and endangering degree to off-the-shelf smartphones. InertiEAR achieves the recognition accuracy of 78.8% with the cross-device accuracy of up to 60.9% among 12 smartphones.

Qinhong Jiang,Xiaoyu Ji,Chen Yan,Zhixin Xie,Haina Lou,Wenyuan Xu

2023-01-01

Abstract:Cameras have evolved into one of the most critical gadgets in various applications. In this paper, we identify a new class of vulnerabilities involving the hitherto disregarded image signal transmission phase and explain the underlying principles of camera glitches for the first time. Based on the vulnerabilities, we design the GlitchHiker attack that can actively induce controlled glitch images of a camera at various positions, widths, and numbers using intentional electromagnetic interference (IEMI). We successfully launch the GlitchHiker attack on 8 off-the-shelf camera systems in 5 categories in their original packages at a distance of up to 30 cm. Experiments with 2 case studies involving 4 object detectors and 2 face detectors show that injecting one ribboning suffices to hide, create or alter objects and persons with a maximum success rate of 98.5% and 80.4%, respectively. Then, we discuss real-world attack scenarios and perform preliminary investigations on the feasibility of targeted attacks. Finally, we propose hardware- and software-based countermeasures.

Sanorita Dey,Nirupam Roy,Wenyuan Xu,Romit Roy Choudhury,Srihari Nelakuditi

DOI: https://doi.org/10.14722/ndss.2014.23059

2014-01-01

Abstract:As mobile begins to overtake the fixed Internet access, ad networks have aggressively sought methods to track users on their mobile devices. While existing countermeasures and regulation focus on thwarting cookies and various device IDs, this paper submits a hypothesis that smartphone/tablet accelerometers possess unique fingerprints, which can be exploited for tracking users. We believe that the fingerprints arise from hardware imperfections during the sensor manufacturing process, causing every sensor chip to respond differently to the same motion stimulus. The differences in responses are subtle enough that they do not affect most of the higher level functions computed on them. Nonetheless, upon close inspection, these fingerprints emerge with consistency, and can even be somewhat independent of the stimulus that generates them. Measurements and classification on 80 standalone accelerometer chips, 25 Android phones, and 2 tablets, show precision and recall upward of 96%, along with good robustness to realworld conditions. Utilizing accelerometer fingerprints, a crowdsourcing application running in the cloud could segregate sensor data for each device, making it easy to track a user over space and time. Such attacks are almost trivial to launch, while simple solutions may not be adequate to counteract them.

Kai Wang,Richard Mitev,Chen Yan,Xiaoyu Ji,Ahmad-Reza Sadeghi,Wenyuan Xu

2022-01-01

Abstract:Capacitive touchscreens have become the primary human-machine interface for personal devices such as smartphones and tablets. In this paper, we present GhostTouch, the first active contactless attack against capacitive touchscreens. Ghost Touch uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it. By tuning the parameters of the electromagnetic signal and adjusting the antenna, we can inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen and control them to manipulate the underlying device. We successfully launch the Ghost Touch attacks on nine smartphone models. We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the Ghost Touch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password. Finally, we discuss potential hardware and software countermeasures to mitigate the attack.

Xiangyu Xu,Yu Chen,Zhen Ling,Li Lu,Junzhou Luo,Xinwen Fu

DOI: https://doi.org/10.1109/infocom52122.2024.10621229

2024-01-01

Abstract:Recent years have witnessed a surge of headphones (including in-ear headphones) usage in works and communications. Because of the privacy-preserve property, people feel comfortable having confidential communication wearing headphones and pay little attention to speech leakage. In this paper, we present an end-to-end eavesdropping system, mmEar, which shows the feasibility of launching an eavesdropping attack on headphones leveraging a commercial mmWave radar. Different from previous works that realize eavesdropping by sensing speech-induced vibrations with reasonable amplitude, mmEar focuses on capturing the extremely faint vibrations with a low signal-to-noise ratio (SNR) on the surface of headphones. Toward this end, we propose a faint vibration emphasis (FVE) method that models and amplifies the mmWave responses to speech-induced vibrations on the In-phase and Quadrature (IQ) plane, followed by a deep denoising network to further improve the SNR. To achieve practical eavesdropping on various headphones and setups, we propose a cGAN model with a pretrain-finetune scheme, boosting the generalization ability and robustness of the attack by generating high-quality synthesis data. We evaluate mmEar with extensive experiments on different headphones and earphones and find that most of them can be compromised by the proposed attack for speech recovery.

Mordechai Guri

DOI: https://doi.org/10.1109/PST52912.2021.9647842

2022-08-21

Abstract:It is known that malware can leak data from isolated, air-gapped computers to nearby smartphones using ultrasonic waves. However, this covert channel requires access to the smartphone's microphone, which is highly protected in Android OS and iOS, and might be non-accessible, disabled, or blocked. In this paper we present `GAIROSCOPE,' an ultrasonic covert channel that doesn't require a microphone on the receiving side. Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope. These inaudible frequencies produce tiny mechanical oscillations within the smartphone's gyroscope, which can be demodulated into binary information. Notably, the gyroscope in smartphones is considered to be a 'safe' sensor that can be used legitimately from mobile apps and javascript. We introduce the adversarial attack model and present related work. We provide the relevant technical background and show the design and implementation of GAIROSCOPE. We present the evaluation results and discuss a set of countermeasures to this threat. Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-to-Gyroscope covert channel.

Cryptography and Security

Zhongjie Ba,Tianhang Zheng,Xinyu Zhang,Zhan Qin,Baochun Li,Xue Liu,Kui Ren

DOI: https://doi.org/10.14722/ndss.2020.24076

2020-01-01

Abstract:Motion sensors on current smartphones have been exploited for audio eavesdropping due to their sensitivity to vibrations. However, this threat is considered low-risk because of two widely acknowledged limitations: First, unlike microphones, motion sensors can only pick up speech signals traveling through a solid medium. Thus, the only feasible setup reported previously is to use a smartphone gyroscope to eavesdrop on a loudspeaker placed on the same table. The second limitation comes from a common sense that these sensors can only pick up a narrow band (85-100Hz) of speech signals due to a sampling ceiling of 200Hz. In this paper, we revisit the threat of motion sensors to speech privacy and propose AccelEve, a new side-channel attack that employs a smartphone's accelerometer to eavesdrop on the speaker in the same smartphone. Specifically, it utilizes the accelerometer measurements to recognize the speech emitted by the speaker and to reconstruct the corresponding audio signals. In contrast to previous works, our setup allows the speech signals to always produce strong responses in accelerometer measurements through the shared motherboard, which successfully addresses the first limitation and allows this kind of attacks to penetrate into real-life scenarios. Regarding the sampling rate limitation, contrary to the widely-held belief, we observe up to 500Hz sampling rates in recent smartphones, which almost covers the entire fundamental frequency band (85-255Hz) of adult speech. On top of these pivotal observations, we propose a novel deep learning based system that learns to recognize and reconstruct speech information from the spectrogram representation of acceleration signals. This system employs adaptive optimization on deep neural networks with skip connections using robust and generalizable losses to achieve robust recognition and reconstruction performance. Extensive evaluations demonstrate the effectiveness and high accuracy of our attack under various settings.

Shan Chang,Luo Zhou,Wei Liu,Hongzi Zhu,Xinggang Hu,Lei Yang

DOI: https://doi.org/10.1109/tdsc.2024.3418908

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Voice assistants, increasingly integrated into wearable devices with limited human-computer interaction modalities, are susceptible to voice spoofing attacks. Such attacks exploit pre-recorded or synthesized voice commands to trick the assistants into executing actions unauthorized by legitimate users. In this work, we propose GyroTalk, a novel approach extracts individual and reliable features from speech movement sequences of users, using built-in gyroscopes in wearables, to differentiate between legitimate users and malicious attackers. GyroTalk is inspired by two critical insights. Firstly, speech, as a highly intricate motor task, necessitates the synchronized coordination of multiple respiratory, laryngeal, lingual and mandibular muscles. These collective muscle movements propagate throughout the body, providing unique movement signatures. Secondly, the distinctive speech movement sequences of individual speakers, essential for generating specific words, can be grabbed by embedded IMU of wearables. We conduct a comprehensive evaluation of GyroTalk across various COTS Android devices, including smart phones, watches and glasses. Our experimental results demonstrate that GyroTalk can achieve a mean FAR of 2.23% and a FRR of 2.48%, even in the face of complicated voice spoofing attacks.

Junyang Zhang,Jiahui Hou,Ye Tian,Xiang-Yang Li

DOI: https://doi.org/10.1109/tmc.2024.3443333

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Secure protocol-independent communication is increasingly demanding to support information exchange among neighbor Internet of Things (IoT) devices. For example, recent works utilize ultrasound at the resonant frequency range of a gyroscope to build communication between a speaker and the gyroscope. However, they are vulnerable to eavesdropping attacks and may have limitations in communication delays. In this work, we present WordWhisper, an efficient, word-level, and speaker-to-gyroscope communication system, with which only the target device can receive the correct information. We theoretically analyze Micro-Electro-Mechanical System (MEMS) gyroscope resonance and propose a hardware-dependent mechanism to defend against eavesdropping, making non-target gyroscopes receive ineffective information. Note that WordWhisper is free of costly data collection from gyroscopes, we train and update our decoding model based on the synthesized data (generated from theoretical MEMS resonance analysis) rather than the costly collected data from gyroscopes. Meanwhile, we address the challenge of eavesdropping when it comes to multiple attackers. We evaluate WordWhisper over 50 MEMS gyroscopes and 100 words. Extensive evaluations demonstrate that WordWhisper can achieve word-level communication with 99.33% accuracy while the recognition accuracy drops to a random guess for the non-target. Our decoding delay is lower than 0.63 seconds.

Wenbin Huang,Hanyuan Chen,Hangcheng Cao,Ju Ren,Hongbo Jiang,Zhangjie Fu,Yaoxue Zhang

DOI: https://doi.org/10.1109/TMC.2024.3401096

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Numerous mobile devices are equipped with voice assistants to facilitate contactless user-device interaction. However, the widespread availability of voice assistants also raises security and privacy concerns, as they can be maliciously triggered to perform voice eavesdropping. Although diverse attacks have been taken to manipulate voice assistants for eavesdropping, they exhibit deficiencies of limited attack scopes and conspicuous attack behaviors because they target specific voice assistants or require extra voice commands to activate them. To manipulate arbitrary voice assistants for covert eavesdropping attack, we conduct a comprehensive analysis of voice assistant implementation in the Android system and refine a universal workflow. Through meticulous analysis and experimental verification, we uncover an inherent vulnerability that in voice assistants across device types that can be awakened by an artificial faking Intent. Building on this significant discovery, we propose an attack termed VoiceEar. It leverages a malicious event generation file and a first-in-first-out Intent generation algorithm to trigger voice assistants within the normal workflow for eavesdropping, without voice commands. Finally, we deploy the VoiceEar attacks on 25 mainstream mobile devices, and invite 95 volunteers for eavesdropping activity perception testing. The results unequivocally demonstrate the seamless execution of VoiceEar attacks, with neither users nor devices awareness.

S Abhishek Anand,Chen Wang,Jian Liu,Nitesh Saxena,Yingying Chen

DOI: https://doi.org/10.48550/arXiv.1907.05972

2020-10-19

Abstract:In this paper, we build a speech privacy attack that exploits speech reverberations generated from a smartphone's in-built loudspeaker captured via a zero-permission motion sensor (accelerometer). We design our attack Spearphone2, and demonstrate that speech reverberations from inbuilt loudspeakers, at an appropriate loudness, can impact the accelerometer, leaking sensitive information about the speech. In particular, we show that by exploiting the affected accelerometer readings and carefully selecting feature sets along with off-the-shelf machine learning techniques, Spearphone can successfully perform gender classification (accuracy over 90%) and speaker identification (accuracy over 80%) for any audio/video playback on the smartphone. Our results with testing the attack on a voice call and voice assistant response were also encouraging, showcasing the impact of the proposed attack. In addition, we perform speech recognition and speech reconstruction to extract more information about the eavesdropped speech to an extent. Our work brings to light a fundamental design vulnerability in many currently-deployed smartphones, which may put people's speech privacy at risk while using the smartphone in the loudspeaker mode during phone calls, media playback or voice assistant interactions.

Cryptography and Security

Li Lu,Jiadi Yu,Yingying Chen,Yanmin Zhu,Xiangyu Xu,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/infocom.2019.8737591

2019-01-01

Abstract:This paper demonstrates the feasibility of a side-channel attack to infer keystrokes on touch screen leveraging an off-the-shelf smartphone. Although there exist some studies on keystroke eavesdropping attacks on touch screen, they are mainly direct eavesdropping attacks, i.e., require the device of victims compromised to provide side-channel information for the adversary, which are hardly launched in practical scenarios. In this work, we show the practicability of an indirect eavesdropping attack, KeyListener, which infers keystrokes on QWERTY keyboards of touch screen leveraging audio devices on a smartphone. We investigate the attenuation of acoustic signals, and find that a user’s keystroke fingers can be localized through the attenuation of acoustic signals received by the microphones in the smartphone. We then utilize the attenuation of acoustic signals to localize each keystroke, and further analyze errors induced by ambient noises. To improve the accuracy of keystroke localization, KeyListener further tracks finger movements during inputs through phase change and Doppler effect to reduce errors of acoustic signal attenuation-based keystroke localization. In addition, a binary tree-based search approach is employed to infer keystrokes in a context-aware manner. The proposed keystroke eavesdropping attack is robust to various environments without the assistance of additional infrastructures. Extensive experiments demonstrate that the accuracy of keystroke inference in top-5 candidates can approach 90% with a top-5 error rate of around 6%, which is a strong indication of the possible user privacy leakage of inputs on QWERTY keyboard.

Ahmed Tanvir Mahdad,Cong Shi,Zhengkun Ye,Tianming Zhao,Yan Wang,Yingying Chen,Nitesh Saxena

DOI: https://doi.org/10.48550/arXiv.2212.12151

2022-12-23

Abstract:Eavesdropping from the user's smartphone is a well-known threat to the user's safety and privacy. Existing studies show that loudspeaker reverberation can inject speech into motion sensor readings, leading to speech eavesdropping. While more devastating attacks on ear speakers, which produce much smaller scale vibrations, were believed impossible to eavesdrop with zero-permission motion sensors. In this work, we revisit this important line of reach. We explore recent trends in smartphone manufacturers that include extra/powerful speakers in place of small ear speakers, and demonstrate the feasibility of using motion sensors to capture such tiny speech vibrations. We investigate the impacts of these new ear speakers on built-in motion sensors and examine the potential to elicit private speech information from the minute vibrations. Our designed system EarSpy can successfully detect word regions, time, and frequency domain features and generate a spectrogram for each word region. We train and test the extracted data using classical machine learning algorithms and convolutional neural networks. We found up to 98.66% accuracy in gender detection, 92.6% detection in speaker detection, and 56.42% detection in digit detection (which is 5X more significant than the random selection (10%)). Our result unveils the potential threat of eavesdropping on phone conversations from ear speakers using motion sensors.

Sound,Cryptography and Security,Audio and Speech Processing

Wenrui Diao,Xiangyu Liu,Zhe Zhou,Kehuan Zhang

DOI: https://doi.org/10.48550/arXiv.1407.4923

2014-07-18

Cryptography and Security

Abstract:Previous research about sensor based attacks on Android platform focused mainly on accessing or controlling over sensitive device components, such as camera, microphone and GPS. These approaches get data from sensors directly and need corresponding sensor invoking permissions. This paper presents a novel approach (GVS-Attack) to launch permission bypassing attacks from a zero permission Android application (VoicEmployer) through the speaker. The idea of GVS-Attack utilizes an Android system built-in voice assistant module -- Google Voice Search. Through Android Intent mechanism, VoicEmployer triggers Google Voice Search to the foreground, and then plays prepared audio files (like "call number 1234 5678") in the background. Google Voice Search can recognize this voice command and execute corresponding operations. With ingenious designs, our GVS-Attack can forge SMS/Email, access privacy information, transmit sensitive data and achieve remote control without any permission. Also we found a vulnerability of status checking in Google Search app, which can be utilized by GVS-Attack to dial arbitrary numbers even when the phone is securely locked with password. A prototype of VoicEmployer has been implemented to demonstrate the feasibility of GVS-Attack in real world. In theory, nearly all Android devices equipped with Google Services Framework can be affected by GVS-Attack. This study may inspire application developers and researchers rethink that zero permission doesn't mean safety and the speaker can be treated as a new attack surface.

Ahmed Al-Haiqi,Mahamod Ismail,Rosdiadee Nordin

DOI: https://doi.org/10.1155/2014/969628

Abstract:Covert channels are not new in computing systems, and have been studied since their first definition four decades ago. New platforms invoke thorough investigations to assess their security. Now is the time for Android platform to analyze its security model, in particular the two key principles: process-isolation and the permissions system. Aside from all sorts of malware, one threat proved intractable by current protection solutions, that is, collusion attacks involving two applications communicating over covert channels. Still no universal solution can countermeasure this sort of attack unless the covert channels are known. This paper is an attempt to reveal a new covert channel, not only being specific to smartphones, but also exploiting an unusual resource as a vehicle to carry covert information: sensors data. Accelerometers generate signals that reflect user motions, and malware applications can apparently only read their data. However, if the vibration motor on the device is used properly, programmatically produced vibration patterns can encode stolen data and hence an application can cause discernible effects on acceleration data to be received and decoded by another application. Our evaluations confirmed a real threat where strings of tens of characters could be transmitted errorless if the throughput is reduced to around 2.5-5 bps. The proposed covert channel is very stealthy as no unusual permissions are required and there is no explicit communication between the colluding applications.