A group of researchers from Nanjing University, China, have demonstrated that Android users’ movements can be tracked by simply analyzing the data provided by the devices’ accelerometers and orientation sensors. And unlike GPS data, these readings are easily harvested by potentially malicious apps, as they can access it without requiring specific permissions.



They tested the tracking accuracy by deploying a simple application that records accelerator data on the smartphones of eight volunteers. Those volunteers carried the phones while using a specific Nanjing metro line over a determined time period.



The collected data, correlated with the location data of the metro stations, resulted in a 92 percent accuracy in discovering volunteers’ movements if they rode the metro for 6 stations.



“We believe this finding is especially threatening for three reasons,” the researchers explained.



“First, current mobile platforms such as Android allow applications to access accelerometer without requiring any special privileges or explicit user consent, which means it is extremely easy for attackers to create stealthy malware to eavesdrop on the accelerometer. Second, metro is the preferred transportation mean for most people in major cities. This means a malware based on this finding can affect a huge population,” they noted.



“Last and the most importantly, metro-riding traces can be used to further infer a lot of other private information. For example, if an attacker can trace a smartphone user for a few days, he may be able to infer the user’s daily schedule and living/working areas and thus seriously threaten her physical safety.”



For this experiment, they chose to use the data corresponding to the volunteers’ use of the metro because “metro trains run on tracks, making their motion patterns distinguishable from cars or buses running on ordinary roads,” and because the distances between neighbouring metro stations are rarely exactly the same, so the “motion patterns of the train within different intervals are distinguishable as well.”



Delivering a malicious app that will collect this data and send it to a remote server should be extremely easy. Potential targets can be tricked into installing it via a social engineering attack.



Also, it’s unlikely that an app like that would be spotted as malicious and booted from online app stores. As said before, it does not need special permission to access the accelerometer’s and orientation sensors’ readings, and getting permission from users to access the Internet (to send the data) is almost a given, as almost every application applies for this permission and most users grant it without a second thought.