According to Neal Hindocha, a senior security consultant at Trustwave, the “touchlogging” attack method “seems like the logical continuation of keylogging” – when saboteurs plant malware on victims' computers to track their keyboard movements and steal sensitive inputted data.
Hindocha developed the proof-of-concept which works on jailbroken iOS devices, in addition to rooted and stock Android devices.
Once installed, the malware tracks where a user touches their screen, giving an attacker insight on logged passwords, usernames, banking information – and the list goes on.
The touchlogging attack also allows a saboteur to take screenshots of the victims' movements, which can create an even better picture of users' mobile activities.
In a Thursday email to SCMagazine.com, Hindocha said that “by taking screenshots and overlaying the X and Y coordinates on the screenshot, it is possible to see what the user is seeing, and [get] the information the user is inputting.”
He later spoke to some of the less obvious nuggets of information obtained by the malware, which became apparent to him throughout his research.
“One interesting aspect of this research is that initially, I thought the screenshot was a requirement to get something useful,” Hindocha wrote. “However, the more data I collect from my own phone, the more I realize that it is quite easy to determine certain patterns.”
One “pattern” was that a PIN or passcode was often the first thing to be inputted, after a phone had been locked due to being idle, he said.
Hindocha made note of other mobile habits that could be of use to attackers.
“Swipe motions up and down tend to indicate someone reading email, and touch events mainly in the area where the keyboard is, is often an indication of text input. In fact, differentiating between entering passcodes, moving around the home screen, writing emails and playing games is often not difficult, when only looking at the touch events (X / Y coordinates),” he explained.
The touchlogger malware can be installed on a target device using the usual attack vectors: through third-party app stores, by connecting a mobile device to an infected computer or through network-based attacks (like through open Wi-Fi networks), Hindocha revealed.
The researcher plans to show at least two demos on the attack method, as well as reveal more details on the hack, at the RSA Conference in San Francisco on Feb. 26.
“The research began by looking at the Windows platform, [and] seeing how powerful certain malware could be when it included keylogging functionality,” Hindocha wrote. “I wanted to bring this over to mobile, to see if similar techniques could be used to bypass security implementations when touchscreens were used."