Researcher to demo hack for logging Android, iOS touchscreen movements

Share this article:
A flaw that allowed users to break through the passcode screen was eliminated in iOS 7.0.2.
The "touchlogging" attack method will be presented in detail at RSA Conference next month.

At next month's RSA Conference, a security researcher will demo a hack that could allow an attacker to capture all the touchscreen movements a user makes on their Android or iOS device.

According to Neal Hindocha, a senior security consultant at Trustwave, the “touchlogging” attack method “seems like the logical continuation of keylogging” – when saboteurs plant malware on victims' computers to track their keyboard movements and steal sensitive inputted data.

Hindocha developed the proof-of-concept which works on jailbroken iOS devices, in addition to rooted and stock Android devices.

Once installed, the malware tracks where a user touches their screen, giving an attacker insight on logged passwords, usernames, banking information – and the list goes on.

The touchlogging attack also allows a saboteur to take screenshots of the victims' movements,  which can create an even better picture of users' mobile activities.

In a Thursday email to, Hindocha said that “by taking screenshots and overlaying the X and Y coordinates on the screenshot, it is possible to see what the user is seeing, and [get] the information the user is inputting.”

He later spoke to some of the less obvious nuggets of information obtained by the malware, which became apparent to him throughout his research.

“One interesting aspect of this research is that initially, I thought the screenshot was a requirement to get something useful,” Hindocha wrote. “However, the more data I collect from my own phone, the more I realize that it is quite easy to determine certain patterns.”

One “pattern” was that a PIN or passcode was often the first thing to be inputted, after a phone had been locked due to being idle, he said.

Hindocha made note of other mobile habits that could be of use to attackers.

“Swipe motions up and down tend to indicate someone reading email, and touch events mainly in the area where the keyboard is, is often an indication of text input. In fact, differentiating between entering passcodes, moving around the home screen, writing emails and playing games is often not difficult, when only looking at the touch events (X / Y coordinates),” he explained.

The touchlogger malware can be installed on a target device using the usual attack vectors: through third-party app stores, by connecting a mobile device to an infected computer or through network-based attacks (like through open Wi-Fi networks), Hindocha revealed.

The researcher plans to show at least two demos on the attack method, as well as reveal more details on the hack, at the RSA Conference in San Francisco on Feb. 26.

“The research began by looking at the Windows platform, [and] seeing how powerful certain malware could be when it included keylogging functionality,” Hindocha wrote. “I wanted to bring this over to mobile, to see if similar techniques could be used to bypass security implementations when touchscreens were used."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

EU conducts massive cyberattack simulation on critical networks

Conducted by the European Union Agency for Network and Information Security, the simulation launched 2,000 attacks on the networks of various critical infrastructure organizations.