Home Cyber Attack Spearphone Attack Allows Android Apps to Listen To Your Loudspeaker Conversations

Spearphone Attack Allows Android Apps to Listen To Your Loudspeaker Conversations

by Abeerah Hashim
android spearphone attack

It hasn’t been long since we studied how Android apps evade app permissions to exfiltrate user data. Once again, researchers have conducted another study to reveal how Android apps listen to users’ conversation over loudspeakers. Dubbed ‘Spearphone’ the attack empowers perpetrators to capture all voice generated through a device’s loudspeaker.

Spearphone Attack Breaching Speech Privacy

Researchers have demonstrated a new side-channel attack ‘Spearphone’ that allows capturing loudspeaker data. The Spearphone attack breaches speech privacy by exploiting the motion sensor ‘accelerometer’ and capturing speech reverberations generated through the loudspeaker. This, in turn, empowers the attackers to listen to every sound coming out of the loudspeaker including conversations, music, or any other audio.

As elaborated in their research paper, this vulnerability exists in most Android smartphones currently in use. The users become vulnerable to attacks as soon as they put their phones to loudspeaker mode when playing any audio files, during phone calls, or interacting with voice assistants.

Describing the Spearphone attack, the researchers stated,

Spearphone is a three-pronged attack that performs gender, speaker and speech classification using accelerometer’s response to the speech reverberations, generated by the victim’s phone’s speakers.

According to this study, the flaw exists owing to the placement of accelerometer and loudspeaker on the same surface within a smartphone.

Placement of accelerometer and loudspeaker

Since the accelerometer can sense the sound reverberations at certain loudness, it can capture the voice generated from the loudspeaker. Thus, an attacker can exploit this glitch via a malicious application that can abuse accelerometer to capture loudspeaker sounds.

Demonstration of Attack on Android Phones

As a PoC, the researchers designed an Android app with malicious intent to capture accelerometer readings. They also elaborate that the same attack can also make use of a malicious Javascript running on the target phone’s browser.

For test devices, they took LG G3, Samsung Galaxy S6 and Samsung Note 4. Whereas, they conducted the experiment into two different setups for precise results – handheld setup and surface setup (device placed on a hardwood top).

Here is how the researchers have illustrated the attack scenario in case of a phone call.

Spearphone attack on calls

And, in case of media playback or interaction with voice assistants.

Spearphone attack on multimedia-voice assistant

The researchers primarily conducted this study on Android phones owing to their dominant market share and the ease of access by applications to a motion sensor. However the motion sensor ‘accelerometer’ was found to be more receptive to Spearphone attack than ‘gyroscope’.

Though, their study had some limitations that they have stated in their paper. This does not alleviate the dangers associated with this attack.

The researchers have advised implementing strict usage permission policy for Android apps as a possible mitigation. Moreover, users should also remain careful when allowing apps to access motion sensors on their devices. Besides, using vibration dampening material around the built-in loudspeakers on the device may also help mitigate the attack.

This isn’t the first time that a study has demonstrated the vulnerability of motion sensors. Earlier, researchers have demonstrated a sensor calibration attack involving motion sensors to track users’ online activities.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid