RSA 2014: Touchlogging the new attack vector for mobile hackers

Two senior security researchers have detailed how hackers can use "touchlogging" attack techniques to take control of iOS and Android devices.

NSA has cracked the iPhone, claims researcher
NSA has cracked the iPhone, claims researcher

Neal Hindocha, senior security consultant at Trustwave, first announced his research last month, where he ran through how he was able to install malware on rooted Android and jailbroken iOS devices to see logs on where the user touches the screen.

Specifically, he said that he was able to locate the X-Y coordinates on a smartphone's touchscreen, and estimate the area on the screen being ‘touched', which would be enough alone to bypass the virtual keyboard log-in process needed for accessing the device and even for passing security on some online financial services. At the time, Hindocha described it as a “logical continuation of keylogging”.

Touchlogging targets jailbroken and routes devices

"We discussed the problem and, whilst there have been proof-of-concept keyboard bypasses in the past, this is the first time that the security of a virtual keypad has been beaten," he told SCMagazineUK.com.

But Hindocha went one step further at the RSA conference on Wednesday, where he and Nathan McCauley, security engineering manager and mobile payments firm Square, demonstrated how they were able to hack into rooted and jailbroken Android and iOS devices – as well as those that haven't been tampered with.

Hindocha said that his research into mobile touchlogging was born out of desktop malware where hackers have increasingly found that they are “quite successful in getting money through”. 

Both he and McCauley detailed how they were able to attack predominantly jailbroken and rooted devices, but also revealed flaws on Android devices where they could be compromised by the same attack methodology when connected via USB to the PC (often required for battery charging) or when they had USB debugging disabled.

But worryingly, the Trustwave analyst – an industry veteran formerly of Symantec and Verizon Business– said that hackers could get enough data just by data logs and as such -  and wouldn't necessarily need the screenshots, something he insisted upon in his initial research.

“When we stated this, I thought we really wanted screenshots but as we progressed the project, we realised that it is easy to see what's happening around the touch dots,” he told conference attendees. “It was a lot easier than expected, and you can get really far from basic logging and touch dots.”

McCauley detailed that iOS vulnerabilities come about when iPhones and iPads are first jailbroken, subject to method swizzling (essentially a type of programming which allows for a man-in-the-middle attack in an attempt to steal data). But he said that these can be avoided embracing jailbreak detection, checking for method swizzling in the code and screen mirroring to check for hackers exfilitrating screenshots.

But more worryingly, Hindocha said that both rooted and non-rooted Android devices can be targeted using this method of attack.

On routed devices, he said that hackers can run command ‘Getevent' in order to get X-Y coordinates on any touches that occur on the device, the home button, or even when someone stops pressing on the screen.  But on unrooted devices, this attack can also be carried out albeit “not directly on the device” – something Symantec unearthed when it came across the Trojan.Droidpack bug.

This does rely on the Android device being connected via USB to the desktop, where hackers can run Android Debug Bridge (ADB) to run getevent and grab screenshots, PIN codes and other types of personal information.

These aren't the only vulnerabilities susceptible to touchlogging tactics. Trustwave's Hindocha found that live wallpapers – fairly commonplace on Android smartphones – log events, which can be a security issue when they run in the background while other widgets are being used. There are also concerns over overlays, like social networking chat functions, which run in the background as users commit to other tasks.

On the plus side, Hindocha said that cracking Windows-powered phones is proving to be more difficult in this regard.

Attackers switch sights to mobile

All of this, according to Hindocha (whose slides can be found here), makes for a trend that is growing, with malware authors increasingly turning their attention to the mobile landscape.

“The malware is quite advanced at this point, it's quite impressive actually. Attackers are following users so are going to mobile. It's inevitable we are going to see an increase in this space.”

This demonstration was just days after FireEye had discovered the same touchlogging vulnerability on iOS devices that were not jailbroken. The keylogging flaw enables hackers to potentially record every keystroke made on iOS 7 but remains unpatched by Apple. Until that happens, FireEye is urging users to use the iOS task manager to prevent possible background monitoring.

Sign up to our newsletters