A Trustwave security researcher will use a security conference next month to demonstrate how an attacker could capture all touchscreen movements a user makes on their Android or iOS device.
Neal Hindocha sees "touchlogging" as a “logical continuation of keylogging”, where saboteurs plant malware on victims' computers to track their keyboard movements and steal sensitive data as it is entered.
Hindocha developed a "touchlogging" proof-of-concept, which works on jailbroken iOS devices, in addition to rooted and stock Android devices.
Once installed, the malware tracks where a user touches their screen, giving an attacker insight on logged passwords, usernames and anything else they happen to touch for the purpose of data entry.
The attack also allows a saboteur to take screenshots of the victims' movements, which can create an even better picture of users' mobile activities.
In a Thursday email to SCMagazine.com, Hindocha said that “by taking screenshots and overlaying the X and Y coordinates on the screenshot, it is possible to see what the user is seeing, and [get] the information the user is inputting.”
He later spoke to some of the less obvious nuggets of information obtained by the malware, which became apparent to him throughout his research.
“One interesting aspect of this research is that initially, I thought the screenshot was a requirement to get something useful,” Hindocha wrote.
“However, the more data I collect from my own phone, the more I realise that it is quite easy to determine certain patterns.”
One “pattern” is that a PIN or passcode is often the first thing to be entered after a phone has been locked due to being idle, he said.
Hindocha made note of other mobile habits that could be of use to attackers.
“Swipe motions up and down tend to indicate someone reading email, and touch events mainly in the area where the keyboard is, is often an indication of text input. In fact, differentiating between entering passcodes, moving around the home screen, writing emails and playing games is often not difficult, when only looking at the touch events (X / Y coordinates),” he explained.
The touchlogger malware can be installed on a target device using the usual attack vectors: through third-party app stores, by connecting a mobile device to an infected computer or through network-based attacks (such as via wi-fi networks), Hindocha said.
The researcher plans to show at least two demonstrations of the attack method, as well as reveal more details, at the RSA Conference in San Francisco on February 26.