Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proof-of-Concept Malware Captures Every Tap On Smartphones Or Tablets

Posted by Soulskill on from the keyloggers-for-the-mobile-consumer dept.

DavidGilbert99 writes: "Keylogging has been a big component of most malware in recent years, but with the advent of touch as the interface of choice on smartphones, tablets and — increasingly — laptops, it has been getting harder for cyber-criminals to know what you are doing. A researcher has developed a proof-of-concept piece of malware which is able to capture everything you are doing on your touch devices, from where you touch the screen to what is being displayed."

22 of 39 comments (clear)

  1. This is actually quite scary. by Anonymous Coward · · Score: 5, Funny

    I have to admit, I never considered this to be an issue. Now I'm quite scared by this revelation. So when I lay my cock across my iPad, are you telling me that criminals could accurately determine its length and girth? That makes me feel very, very uncomfortable!

  2. No valid distribution method... by Kenja · · Score: 1

    The article even says it would be unlikely to pass the various store security checks. So the moral still remains to not install software from an unknown and untrusted source. This is more or less a universal truism regardless of platform.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:No valid distribution method... by sunderland56 · · Score: 2, Informative

      There are massive problems with the Apple store security process; I'm sure that Google's and Amazon's are no better.

    2. Re:No valid distribution method... by Anubis+IV · · Score: 2

      It'd be easy to slip it in as an update to an existing piece of software, similar to the recent reports of Chrome extensions being purchased by companies that then turn them, via later updates, into advertising delivery vehicles. Android and jailbroken iOS are both vulnerable to this form of attack due to the forms of processing that they allow in the background, and the fact is, delivering it is not particularly difficult, since malware has already found its way onto these platforms (native iOS isn't as affected, since even though the malware may be able to be delivered to it, the way it handles background processes would neuter the attack itself).

      Really, all that needs to be done by a malware developer beyond what's already been done is add some OCR capabilities to the malware so that it can identify what key it is that you're hitting, enabling it to know exactly what your username and password are. Or, better yet, somehow tie into the input system directly so that it can identify precisely what textual inputs are being provided, without any need for image recognition or processing.

    3. Re:No valid distribution method... by bonehead · · Score: 2

      add some OCR capabilities to the malware so that it can identify what key it is that you're hitting,

      Um... You either don't understand what OCR is, or you're proposing a complex solution to a simple problem.

    4. Re:No valid distribution method... by Zynder · · Score: 1

      He's future proofing obviously. The OCR software will be ready and waiting when Google Glass goes live! BWAHAHAHHAHAHHAHA! *ahem* excuse me :D

    5. Re:No valid distribution method... by Anubis+IV · · Score: 2

      It is good to shine the light on stuff like that, but let's be sure we keep the scale of the problem in context, since referring to it as a "massive problem" is quite a bit of an overstatement. Moreover, the connotation involved in the comparison with Google and Amazon suggests a false equivalency, when the fact is that one of them is suffering a malware incidence rate that is over two orders of magnitude greater than the one with the lowest rate (which, when you look at the raw numbers, isn't actually that bad, but they're still not in the same vicinity as each other by any stretch of the imagination).

      A single proof of concept that's already been addressed (according to your source) and has yet to be seen in the wild beyond that initial research experiment is a negligible concern, not a massive one. It's worth sharing and worth calling Apple to task on, but let's not overstate the issue.

    6. Re:No valid distribution method... by Anubis+IV · · Score: 1

      If you read the article, the researcher's attack relies on sending screenshots back to the attacker, along with the coordinates for where the touch took place on the screen. He provided no means for automating the process of identifying which character appears at the touched location, so OCR seems to be exactly the correct tool for the job, given that it would allow an attacker to automate the process of extracting keypresses from the provided data. That said, I obviously agree that it would be a complex solution to a simple problem, since I already suggested a simpler way to address the issue in the very next sentence after when I mentioned OCR.

      Why you immediately jumped to thinking that I don't know what OCR is or that I'm advising it as an ideal solution is beyond me.

    7. Re:No valid distribution method... by warm_warmer · · Score: 1

      Meanwhile, you can continue to install apps like those made by Silent Circle and pretend like you're having private conversations with people with phones that are apparently easy to complete own.

    8. Re:No valid distribution method... by Anubis+IV · · Score: 1

      You neglected to mention the method by which they were owned. The NSA required physical access to the devices, and the attack, based on the details that leaked, was little more than jailbreaking the iPhone so that they could install a daemon that phoned home periodically. It also wasn't confirmed as working on anything after the iPhone 3G, which is significant, since the 3GS was when Apple introduced hardware-level encryption on their devices, though I'm guessing that's simply because the report was old, rather than because the attack wasn't effective. The same form of attack was also confirmed against Android (and Blackberry) at the time that these reports regarding the iPhone got out, but the news sites pretty much glossed over that fact.

      Anyone here on Slashdot should already know that if you compromise physical access, you've compromised the device. The NSA's attack was not a remote one, and jailbreaking/rooting is a common feature on all smartphones today, so this attack was hardly novel or fear-inspiring. The only thing worrying about it was the way that they gained physical access, which included the interception of packages that were en route, unwrapping them, tampering with them, then resealing them and sending them on their way. That, to me, was more worrying than the attack itself, since if the NSA couldn't figure out how to root my phone and install whatever they felt like if I gave them physical access, I'd call their technical competency into question.

    9. Re:No valid distribution method... by warm_warmer · · Score: 1

      In the particular case linked above, yes, the NSA required physical access to the device. However, the article noted that "a remote version of the exploit is also in the works."

      Regardless, there is ample attack area for someone determined to get into a phone (or your computer, or just about any connected device really), and the government pays big money to find exploits before they're publicly known to do just that.

      I would be very hesitant about claiming that the NSA couldn't figure out how to root the phone - it likely was just the easiest way for this particular program.

    10. Re:No valid distribution method... by Anubis+IV · · Score: 1

      I'd agree. And, in fact, shortly after the date of that report, there was indeed a remote jailbreaking utility that was released, which had massive security implications. Apple has since closed that hole and no further ones have been publicly disclosed, but, as you said, the government pays good money for those sorts of exploits, so blanket statements that they don't exist should always be taken with a heaping grain of salt.

    11. Re:No valid distribution method... by euroq · · Score: 1

      This article is bullshit. Someone wrote an Android app that stores information. That's not malware, that's an app. Malware would be doing it via holes in the system that are unprotected.

      --
      Just because the U.S. is a republic does not mean it is not a democracy. Democracy/republic are not mutually exclusive.
  3. etch-a-sketch by nurb432 · · Score: 1

    Now, try to log my actions...i dare you

    --
    ---- Booth was a patriot ----
  4. Re:PLEASE STOP FORCING US TO /. BETA! by Anonymous Coward · · Score: 1

    > I've just been forced to the shitty, rotten Slashdot beta

    Bullshit. You just posted so you are not on the Beta. Posting has been broken on it for several weeks.

  5. One potential market for this software by Dachannien · · Score: 2

    This will be great news for all those people who think they aren't getting nearly enough information through Facebook about their friends' Candy Crush exploits.

  6. Re:I got sent to the beta site again, and I hate i by Anachragnome · · Score: 1

    http://noscript.net/

  7. How is this surprising ? by Anonymous Coward · · Score: 1

    Apps like VNC Server have been available on both Android and jail broken iOS. Getting the image of the screen, saving it on tap/touch, and sending it off elsewhere doesn't seem like it would need a proof of concept.

  8. Proof-of-concept malware used to infect Android by DTentilhao · · Score: 1

    "What Hindocha has produced is a proof-of-concept piece of malware which can be used to infect Android smartphones and tablets as well as jailbroken iOS devices"

    How does this malware get onto the device, without the user going to a malicious website, downloading and install the malware.

  9. Nothing new by SSpade · · Score: 1

    This approach - recording an image around each click - has been used by malware that attacks the on-screen keyboards used by some online banking systems for several years. (They use the online keyboards as an attempt to avoid keyboard sniffers getting account numbers).

    This does is it on (insecure) mobile OSes rather than desktop OSes, but seems to be otherwise identical.

  10. NSA will be all over this by surfdaddy · · Score: 1

    Anything they can gather data on, they will. That's their new M.O. and the nuisance of things like "process" and "warrants" and "the Constitution" go out the window.

  11. Proof of Concept by Nerdfest · · Score: 1

    I would guess that this could be snuck into some other appliction, possibly even through the Apple store if someone is very clever. It's just a proof of concept so far and Appple does not allow side-loading, while Android does, as do jailbroken devices.