Smartphone sensors have been applied to record the movement of users for healthy use. However, the motion sensor readings recorded by malicious applications can be utilized as a side-channel to leak user privacy by keystroke inference. Most existing approaches use time-domain statistical characteristics for keystroke inference. Their systems are poor to show the subtle changes in short time period, since the time- domain statistical features can only reflect the characteristics in a long-time interval. In this paper, we propose a novel framework to perform keystroke inference on smartphones. This framework introduces an improved MFCC algorithm to extract frequency- domain features for more comprehensive use of raw data. Since the frequency-domain energy distribution of motion signals is concentrated, and the specificity of signals is strong, MFCC can improve the inference accuracies under complex scenarios. Based on this framework, we present a prototype called FreqKey, which is an inference system to leak user privacy such as PINs and passwords. FreqKey collects motion sensor readings during keystroke events and constructs classification models with machine learning algorithms. Experimental results show that FreqKey improves the performance in a variety of complex scenarios. Especially, even in web platform whose sampling rate is lower than 80Hz, FreqKey can achieve relatively high accuracy of 74.6%. To mitigate the frequency-based side-channel attack and protect user privacy, we propose a defense solution which contains sensor- activity monitoring, malicious program identification and interference signal injection.