Mobile keyloggers and touchscreen detection attacks
by: Michael Cobb
A recent proof of concept shines new light on the future of mobile keyloggers. Michael Cobb reviews how to keep touchscreen devices safe from attack.
A recent iOS flaw reportedly allows attackers to record on-screen touches. How does this work, and what sort of protection should we put into place to defend against it? Is this also an issue on other platforms?
Keylogging software, which records the keyboard keys pressed by a computer's user, is a common component of desktop malware. However, capturing characters entered via touchscreen on a PC, smartphone or tablet requires a completely different approach.
Unlike most desktop computers, which use a hardware-based keyboard and mouse to receive input from the user, smartphones receive user input by interpreting screen touches. Mobile operating systems on devices with touch-sensitive screens constantly monitor all screen touches to capture user commands such as swipes, pinches and taps. An on-screen image map is used to replicate a traditional keyboard. This means that a mobile keylogger needs both to capture the x and y coordinates of where the user is touching the screen and to get a screen grab of the device in order to deduce what the user is inputting.
While an attack that logs and accurately interprets screen touches is very complex, researchers at vendor FireEye Inc. have created a proof-of-concept application that runs in the background on iOS 7 devices and can monitor and record all of a user's touch and press events. Activities it captures include touches on the screen; pressing of the home and volume buttons; and the Touch ID, which is Apple's fingerprint reader on the latest iPhone. What's more, this application works on non-jailbroken iOS devices and is capable of sending the illicitly captured data to a remote server.
While this attack methodology is a long way from being able to compromise users on a massive scale, motivated attackers could target high-value individuals within an enterprise if they are worth the effort, because a lot of information can be derived solely from keystrokes. Apple Inc. is aware of this vulnerability and exploit technique, so it's safe to assume a fix will come eventually. In the meantime, the best approach to mitigating this type of attack is to ensure malicious apps never make it onto users' devices in the first place. This means allowing the installation of only reputable apps that have been risk-assessed by your IT team. Setting up an enterprise app storeand deploying a mobile device management, or MDM, product can also help ensure that only vetted apps that pass performance thresholds and meet security policy requirements are used on employee devices connecting to the enterprise network.
Security awareness training must emphasize that emails with links that supposedly allow the user to install a free app must never be followed, particularly those that play music. The reason why apps masquerading as music players are so risky is that touch monitoring requires its code to run in the background. Disabling an app's background refresh function can prevent any potential background monitoring, but this option can be bypassed by apps that play music in the background. Users must also know how to employ the task manager to see whether any unnecessary or suspicious apps are running in the background; a common warning sign is an iPhone or iPad that is running slowly or draining the battery more quickly than usual. Enterprise networks can also protect corporate data by actively monitoring traffic leaving the network and tracking down infected mobile devices by detecting unusual patterns in that traffic.
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)