Proof-of-Concept Malware Captures Every Tap On Smartphones Or Tablets

DavidGilbert99 writes: "Keylogging has been a big component of most malware in recent years, but with the advent of touch as the interface of choice on smartphones, tablets and — increasingly — laptops, it has been getting harder for cyber-criminals to know what you are doing. A researcher has developed a proof-of-concept piece of malware which is able to capture everything you are doing on your touch devices, from where you touch the screen to what is being displayed."

This is actually quite scary.

[Anonymous Coward]

I have to admit, I never considered this to be an issue. Now I'm quite scared by this revelation. So when I lay my cock across my iPad, are you telling me that criminals could accurately determine its length and girth? That makes me feel very, very uncomfortable!

Re:

[Anonymous Coward]

> I've just been forced to the shitty, rotten Slashdot beta

Bullshit. You just posted so you are not on the Beta. Posting has been broken on it for several weeks.

No valid distribution method...

[Kenja]

The article even says it would be unlikely to pass the various store security checks. So the moral still remains to not install software from an unknown and untrusted source. This is more or less a universal truism regardless of platform.

Re:

[sunderland56]

There are massive problems [technologyreview.com] with the Apple store security process; I'm sure that Google's and Amazon's are no better.

Re:

[Anubis IV]

It is good to shine the light on stuff like that, but let's be sure we keep the scale of the problem in context [techcrunch.com], since referring to it as a "massive problem" is quite a bit of an overstatement. Moreover, the connotation involved in the comparison with Google and Amazon suggests a false equivalency, when the fact is that one of them is suffering a malware incidence rate that is over two orders of magnitude greater than the one with the lowest rate (which, when you look at the raw numbers, isn't actually that

Re:

[warm_warmer]

Meanwhile, you can continue to install apps like those made by Silent Circle and pretend like you're having private conversations with people with phones that are apparently easy to complete own [slashdot.org].

Re:

[Anubis IV]

You neglected to mention the method by which they were owned. The NSA required physical access to the devices, and the attack, based on the details that leaked, was little more than jailbreaking the iPhone so that they could install a daemon that phoned home periodically. It also wasn't confirmed as working on anything after the iPhone 3G, which is significant, since the 3GS was when Apple introduced hardware-level encryption on their devices, though I'm guessing that's simply because the report was old, ra

Re:

[warm_warmer]

In the particular case linked above, yes, the NSA required physical access to the device. However, the article noted that "a remote version of the exploit is also in the works."

Regardless, there is ample attack area for someone determined to get into a phone (or your computer, or just about any connected device really), and the government pays big money to find exploits before they're publicly known [fastcompany.com] to do just that.

I would be very hesitant about claiming that the NSA couldn't figure out how to root th

Re:

[Anubis IV]

I'd agree. And, in fact, shortly after the date of that report, there was indeed a remote jailbreaking utility that was released, which had massive security implications. Apple has since closed that hole and no further ones have been publicly disclosed, but, as you said, the government pays good money for those sorts of exploits, so blanket statements that they don't exist should always be taken with a heaping grain of salt.

Re:

[Anubis IV]

It'd be easy to slip it in as an update to an existing piece of software, similar to the recent reports of Chrome extensions being purchased by companies that then turn them, via later updates, into advertising delivery vehicles. Android and jailbroken iOS are both vulnerable to this form of attack due to the forms of processing that they allow in the background, and the fact is, delivering it is not particularly difficult, since malware has already found its way onto these platforms (native iOS isn't as af

Re:

[bonehead]

add some OCR capabilities to the malware so that it can identify what key it is that you're hitting,

Um... You either don't understand what OCR is, or you're proposing a complex solution to a simple problem.

Re:

[Zynder]

He's future proofing obviously. The OCR software will be ready and waiting when Google Glass goes live! BWAHAHAHHAHAHHAHA! *ahem* excuse me :D

Re:

[Anubis IV]

If you read the article, the researcher's attack relies on sending screenshots back to the attacker, along with the coordinates for where the touch took place on the screen. He provided no means for automating the process of identifying which character appears at the touched location, so OCR seems to be exactly the correct tool for the job, given that it would allow an attacker to automate the process of extracting keypresses from the provided data. That said, I obviously agree that it would be a complex so

Re:

[euroq]

This article is bullshit. Someone wrote an Android app that stores information. That's not malware, that's an app. Malware would be doing it via holes in the system that are unprotected.

Re:

[Anachragnome]

http://noscript.net/ [noscript.net]

etch-a-sketch

[nurb432]

Now, try to log my actions...i dare you

One potential market for this software

[Dachannien]

This will be great news for all those people who think they aren't getting nearly enough information through Facebook about their friends' Candy Crush exploits.

How is this surprising ?

[Anonymous Coward]

Apps like VNC Server have been available on both Android and jail broken iOS. Getting the image of the screen, saving it on tap/touch, and sending it off elsewhere doesn't seem like it would need a proof of concept.

Proof-of-concept malware used to infect Android

[DTentilhao]

"What Hindocha has produced is a proof-of-concept piece of malware which can be used to infect Android smartphones and tablets as well as jailbroken iOS devices"

How does this malware get onto the device, without the user going to a malicious website, downloading and install the malware.

Proof of Concept

[Nerdfest]

I would guess that this could be snuck into some other appliction, possibly even through the Apple store if someone is very clever. It's just a proof of concept so far and Appple does not allow side-loading, while Android does, as do jailbroken devices.

Nothing new

[SSpade]

This approach - recording an image around each click - has been used by malware that attacks the on-screen keyboards used by some online banking systems for several years. (They use the online keyboards as an attempt to avoid keyboard sniffers getting account numbers).

This does is it on (insecure) mobile OSes rather than desktop OSes, but seems to be otherwise identical.

NSA will be all over this

[surfdaddy]

Anything they can gather data on, they will. That's their new M.O. and the nuisance of things like "process" and "warrants" and "the Constitution" go out the window.