Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proof-of-Concept Malware Captures Every Tap On Smartphones Or Tablets

Posted by Soulskill on from the keyloggers-for-the-mobile-consumer dept.

DavidGilbert99 writes: "Keylogging has been a big component of most malware in recent years, but with the advent of touch as the interface of choice on smartphones, tablets and — increasingly — laptops, it has been getting harder for cyber-criminals to know what you are doing. A researcher has developed a proof-of-concept piece of malware which is able to capture everything you are doing on your touch devices, from where you touch the screen to what is being displayed."

39 comments

  1. This is actually quite scary. by Anonymous Coward · · Score: 5, Funny

    I have to admit, I never considered this to be an issue. Now I'm quite scared by this revelation. So when I lay my cock across my iPad, are you telling me that criminals could accurately determine its length and girth? That makes me feel very, very uncomfortable!

  2. Re:PLEASE STOP FORCING US TO /. BETA! by Anonymous Coward · · Score: 0

    I was 'forced' into the /. Beta page as well, however nobeta=1 is working for me.

    Personally, I don't hate the Beta, but I prefer classic /. without all the big fancy pictures.

  3. No valid distribution method... by Kenja · · Score: 1

    The article even says it would be unlikely to pass the various store security checks. So the moral still remains to not install software from an unknown and untrusted source. This is more or less a universal truism regardless of platform.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:No valid distribution method... by sunderland56 · · Score: 2, Informative

      There are massive problems with the Apple store security process; I'm sure that Google's and Amazon's are no better.

    2. Re:No valid distribution method... by Anubis+IV · · Score: 2

      It'd be easy to slip it in as an update to an existing piece of software, similar to the recent reports of Chrome extensions being purchased by companies that then turn them, via later updates, into advertising delivery vehicles. Android and jailbroken iOS are both vulnerable to this form of attack due to the forms of processing that they allow in the background, and the fact is, delivering it is not particularly difficult, since malware has already found its way onto these platforms (native iOS isn't as affected, since even though the malware may be able to be delivered to it, the way it handles background processes would neuter the attack itself).

      Really, all that needs to be done by a malware developer beyond what's already been done is add some OCR capabilities to the malware so that it can identify what key it is that you're hitting, enabling it to know exactly what your username and password are. Or, better yet, somehow tie into the input system directly so that it can identify precisely what textual inputs are being provided, without any need for image recognition or processing.

    3. Re:No valid distribution method... by bonehead · · Score: 2

      add some OCR capabilities to the malware so that it can identify what key it is that you're hitting,

      Um... You either don't understand what OCR is, or you're proposing a complex solution to a simple problem.

    4. Re:No valid distribution method... by Zynder · · Score: 1

      He's future proofing obviously. The OCR software will be ready and waiting when Google Glass goes live! BWAHAHAHHAHAHHAHA! *ahem* excuse me :D

    5. Re:No valid distribution method... by Anubis+IV · · Score: 2

      It is good to shine the light on stuff like that, but let's be sure we keep the scale of the problem in context, since referring to it as a "massive problem" is quite a bit of an overstatement. Moreover, the connotation involved in the comparison with Google and Amazon suggests a false equivalency, when the fact is that one of them is suffering a malware incidence rate that is over two orders of magnitude greater than the one with the lowest rate (which, when you look at the raw numbers, isn't actually that bad, but they're still not in the same vicinity as each other by any stretch of the imagination).

      A single proof of concept that's already been addressed (according to your source) and has yet to be seen in the wild beyond that initial research experiment is a negligible concern, not a massive one. It's worth sharing and worth calling Apple to task on, but let's not overstate the issue.

    6. Re:No valid distribution method... by Anubis+IV · · Score: 1

      If you read the article, the researcher's attack relies on sending screenshots back to the attacker, along with the coordinates for where the touch took place on the screen. He provided no means for automating the process of identifying which character appears at the touched location, so OCR seems to be exactly the correct tool for the job, given that it would allow an attacker to automate the process of extracting keypresses from the provided data. That said, I obviously agree that it would be a complex solution to a simple problem, since I already suggested a simpler way to address the issue in the very next sentence after when I mentioned OCR.

      Why you immediately jumped to thinking that I don't know what OCR is or that I'm advising it as an ideal solution is beyond me.

    7. Re:No valid distribution method... by Anonymous Coward · · Score: 0

      Did you read TFA?

      This technique doesn’t work on non-jailbroken iOS devices.you know, like most of them.
      Sure, the authors thinks it could work, but obviously couldn’t actually get it to work himself.

      So, even if there are “massive problems” in Apple’s store review process, the 99%+ of iOS users who didn’t opt to neuter their devices into having no on-device security are unaffected.

      Android, on the other hand, is affected on 100% of their devices because both their app distribution and on-device security model suck.

    8. Re:No valid distribution method... by warm_warmer · · Score: 1

      Meanwhile, you can continue to install apps like those made by Silent Circle and pretend like you're having private conversations with people with phones that are apparently easy to complete own.

    9. Re:No valid distribution method... by Anubis+IV · · Score: 1

      You neglected to mention the method by which they were owned. The NSA required physical access to the devices, and the attack, based on the details that leaked, was little more than jailbreaking the iPhone so that they could install a daemon that phoned home periodically. It also wasn't confirmed as working on anything after the iPhone 3G, which is significant, since the 3GS was when Apple introduced hardware-level encryption on their devices, though I'm guessing that's simply because the report was old, rather than because the attack wasn't effective. The same form of attack was also confirmed against Android (and Blackberry) at the time that these reports regarding the iPhone got out, but the news sites pretty much glossed over that fact.

      Anyone here on Slashdot should already know that if you compromise physical access, you've compromised the device. The NSA's attack was not a remote one, and jailbreaking/rooting is a common feature on all smartphones today, so this attack was hardly novel or fear-inspiring. The only thing worrying about it was the way that they gained physical access, which included the interception of packages that were en route, unwrapping them, tampering with them, then resealing them and sending them on their way. That, to me, was more worrying than the attack itself, since if the NSA couldn't figure out how to root my phone and install whatever they felt like if I gave them physical access, I'd call their technical competency into question.

    10. Re:No valid distribution method... by warm_warmer · · Score: 1

      In the particular case linked above, yes, the NSA required physical access to the device. However, the article noted that "a remote version of the exploit is also in the works."

      Regardless, there is ample attack area for someone determined to get into a phone (or your computer, or just about any connected device really), and the government pays big money to find exploits before they're publicly known to do just that.

      I would be very hesitant about claiming that the NSA couldn't figure out how to root the phone - it likely was just the easiest way for this particular program.

    11. Re:No valid distribution method... by Anubis+IV · · Score: 1

      I'd agree. And, in fact, shortly after the date of that report, there was indeed a remote jailbreaking utility that was released, which had massive security implications. Apple has since closed that hole and no further ones have been publicly disclosed, but, as you said, the government pays good money for those sorts of exploits, so blanket statements that they don't exist should always be taken with a heaping grain of salt.

    12. Re:No valid distribution method... by euroq · · Score: 1

      This article is bullshit. Someone wrote an Android app that stores information. That's not malware, that's an app. Malware would be doing it via holes in the system that are unprotected.

      --
      Just because the U.S. is a republic does not mean it is not a democracy. Democracy/republic are not mutually exclusive.
  4. etch-a-sketch by nurb432 · · Score: 1

    Now, try to log my actions...i dare you

    --
    ---- Booth was a patriot ----
    1. Re:etch-a-sketch by Anonymous Coward · · Score: 0

      I see that you are drawing a penis on your etch-a-sketch... and then touching it.

  5. Re:PLEASE STOP FORCING US TO /. BETA! by Anonymous Coward · · Score: 1

    > I've just been forced to the shitty, rotten Slashdot beta

    Bullshit. You just posted so you are not on the Beta. Posting has been broken on it for several weeks.

  6. One potential market for this software by Dachannien · · Score: 2

    This will be great news for all those people who think they aren't getting nearly enough information through Facebook about their friends' Candy Crush exploits.

  7. Re:I got sent to the beta site again, and I hate i by Anachragnome · · Score: 1

    http://noscript.net/

  8. How is this surprising ? by Anonymous Coward · · Score: 1

    Apps like VNC Server have been available on both Android and jail broken iOS. Getting the image of the screen, saving it on tap/touch, and sending it off elsewhere doesn't seem like it would need a proof of concept.

  9. LOL by Anonymous Coward · · Score: 0

    LOL! Posting works fine from the beta site. I know, because I'm unfortunately doing so right now, and wish with all my heart that I was not. But I do think it's really funny that your comment had been modded up to +3, Insightful even though it isn't correct. Enough mods actually think that the beta site is so broken that they'd mod you up so highly! LOL! But seriously folks, this beta site really is the dumps. If this goes live, Slashdot is going to be a userless site just like Digg.

    1. Re:LOL by Anonymous Coward · · Score: 0

      > +3, Insightful

      I check my post every few minutes since I first posted it, and the highest I've seen is a +1. Maybe the Beta site is broken again.

  10. Proof-of-concept malware used to infect Android by DTentilhao · · Score: 1

    "What Hindocha has produced is a proof-of-concept piece of malware which can be used to infect Android smartphones and tablets as well as jailbroken iOS devices"

    How does this malware get onto the device, without the user going to a malicious website, downloading and install the malware.

  11. Nothing new by SSpade · · Score: 1

    This approach - recording an image around each click - has been used by malware that attacks the on-screen keyboards used by some online banking systems for several years. (They use the online keyboards as an attempt to avoid keyboard sniffers getting account numbers).

    This does is it on (insecure) mobile OSes rather than desktop OSes, but seems to be otherwise identical.

    1. Re:Nothing new by Anonymous Coward · · Score: 0

      Private API's.
      No such thing they are lurking and availabe to all - but they are a breach of any security model - as old as the PEEK and POKE commands on elderly TRS-80's. Add to the fact that drivers are full of bugs and their owners are too cheap to re-write them using
      updated string commands and range-checking. A perfect storm of insecurity, in the name of holy profit.

      Video card DMA hacks and private API's to get them into diagnostic mode have also been know about for ages - which is why open source is a bit behind - because the companies cheated by driver shortcuts, as did Microsoft in the DOS 3.1 era.

      Fast forward to today. Nearly everything has a cpu, with ram and eeprom, able and ready to stash keystrokes. Logic analysers are cheap. However the skill of the engineers and systems programmers is way down from what it used to be.

      A paper and pen has no cpu - and is safe

  12. Re:PLEASE STOP FORCING US TO /. BETA! by Anonymous Coward · · Score: 0

    You know, I log in with a user account and use the old fashioned (90's era) look and feel. Maybe you should try it.

  13. I need this software, ASK SLASHDOT by Anonymous Coward · · Score: 0

    Ok guys. I post here a lot but the embarrassment of the situation has forced me to post AC. THIS IS NOT A TROLL OR JOKE. It may sounds like it though, I apologize.

    I need to know the names and/or locations of the Android software that does stuff like this. The kind that remotely turns on the cams and mic and all that kind of thing. My cursory attempt at Googling has turned up nothing since I imagine those links are scoured away by law enforcement and/or Google. I have no malicious intent though. Here's the embarrassing part: My wife fucks me maybe twice a month. I hate it. I'd like it at least twice a week. Come to find out there's a correlation to days that when she masturbates, she won't have sex with me. She ALWAYS denies masturbating at all. I guess it embarrasses her or something, I don't know. She is usually very predictable and so this has allowed me for the past couple of years to keep tabs of when she rubs one out. I do this by keeping track of the locations of her 2 sex toys, marking/memorizing their positions so I know if they have been moved, keeping a count of battery consumption, and tracking when she looks at porn on her browsers. I even had that iSpy software set to trigger a recording off of my webcam when porn surfing was detected. However, we moved about 6 months ago and the new place is all setup differently and she's had to relearn a new jerking off routine. I can no longer use iSpy unless I want to start buying hidden cams in alarm clocks. She also learned what the Private Browsing mode of Firefox was about so I had to swap to logging traffic at the router. Turns out though that her new preferred jerk off spot is in a room that has no computers so she's switched to watching her porn over her smartphone or tablet. The problem with that is that she often turns off the wifi and when she does, I obviously can't log web traffic. So that is what I'd like the software to do: log web traffic and relay it to me, and allow me to watch her smack the monkey.

    I'm asking YOU, fellow /. perverts, what solutions have you come up with to watch your significant others masturbate? Just throw me out some names of software and perhaps where I could find it. I know I can't be the only nerd on this site that has voyeuristic tendencies XD!

    1. Re: I need this software, ASK SLASHDOT by Anonymous Coward · · Score: 0

      I'm disappointed guys. Not even a "dude she's totally cheating on you cause you have a little dick" c'mon! help a brotha out here.

  14. NSA will be all over this by surfdaddy · · Score: 1

    Anything they can gather data on, they will. That's their new M.O. and the nuisance of things like "process" and "warrants" and "the Constitution" go out the window.

    1. Re:NSA will be all over this by Anonymous Coward · · Score: 0

      Yeeeeeahhh. I was wondering when the first fucktard was going to bring in the NSA. Got any clever Snowden or bitcoin statements you want to add as well?

  15. Proof of Concept by Nerdfest · · Score: 1

    I would guess that this could be snuck into some other appliction, possibly even through the Apple store if someone is very clever. It's just a proof of concept so far and Appple does not allow side-loading, while Android does, as do jailbroken devices.

  16. Re:PLEASE STOP FORCING US TO /. BETA! by Anonymous Coward · · Score: 0

    You could always replace the ord beta for www in the url. Seems to work for me when /. forces the all-new poo-crap white-space on me...

  17. Re:PLEASE STOP FORCING US TO /. BETA! by Anonymous Coward · · Score: 0

    http://slashdot.org/?nobeta=1