Human ears are profoundly limited sensors. Animals can respond to a whole range of sounds beyond our hearing and so can, it turns out, special kinds of malware.

Security researchers at the UK’s Lancaster University and Linköping University in Sweden published a novel attack that uses sounds emitted from a phone at frequencies humans can’t hear as a sort of sonar to infer where the user swiped a passcode to unlock an Android phone. While this attack has yet to be observed in the wild, it’s worth understanding to get the security implications right.

Caveats up front: not only has this attack not been observed yet, it requires malware installed on the target phone, built to the specific make and model of phone. There are multiple pathways to install malware on a phone, so this is more of a targeted attack on an individual than an attack of opportunity on a stranger in public, say.

Spotted by NakedSecurity, the study is one of a growing body of security research into acoustic vectors for bypassing known security features.

The malware emits a sound at between 18kHz and 20kHz through the smartphone’s speaker. As the person swipes their unlock code on the Android phone, those sound waves bounce off the finger and are recorded by the microphone. From that data (and likely multiple iterations on the same model of phone beforehand to interpret that data), the malware reduces the possible swipe patterns into a fraction of what they once were.

Paired with a database of most-used unlock patterns, a tool like this can increase the odds of a successful intrusion of a captured and targeted phone, even with features turned on that permanently lock the phone after a set number of tries to break into it.

If there is a lesson in this for the security industry, it’s that the basics of phone security may have to expand to include auditory attacks imperceptible to the human users.