This work reveals that inherent microsecond-level timing asynchrony between smartphone IMU sensors (gyroscope and accelerometer) can be maliciously exploited to bypass Android’s software-enforced 200 Hz IMU sampling rate limit, enabling effective high-rate acoustic side-channel eavesdropping. We propose STAG, a novel attack that requires no jailbreak, hardware modification, or additional permissions; instead, it leverages precise timing modeling and multi-sensor data fusion to resample asynchronous IMU signals and inversely reconstruct the vibration-to-speech mapping. Evaluated on mainstream Android devices, STAG successfully recovers intelligible speech, reducing word error rate by 83.4% over prior approaches. Critically, it demonstrates—for the first time—that IMUs remain persistently vulnerable to voice leakage even under compliant sampling rates, thereby invalidating existing defense paradigms predicated solely on sampling-rate restrictions.

The increasing use of voice assistants and related applications has raised significant concerns about the security of Inertial Measurement Units (IMUs) in smartphones. These devices are vulnerable to acoustic eavesdropping attacks, jeopardizing user privacy. In response, Google imposed a rate limit of 200 Hz on permission-free access to IMUs, aiming to neutralize such side-channel attacks. Our research introduces a novel exploit, STAG, which circumvents these protections. It induces a temporal misalignment between the gyroscope and accelerometer, cleverly combining their data to resample at higher rates and reviving the potential for eavesdropping attacks previously curtailed by Google's security enhancements. Compared to prior methods, STAG achieves an 83.4% reduction in word error rate, highlighting its effectiveness in exploiting IMU data under restricted access and emphasizing the persistent security risks associated with these sensors.