New proof-of-concept mobile malware logs keystrokes and captures screen-grabs on jailbroken iOS and Android devices in order to steal online log-in credentials and other sensitive information from targeted devices.
In an interview with Threatpost, Trustwave senior security consultant Neal Hindocha broadly explained how his proof-of-concept works, which he will present in earnest at the RSA Conference next month.
The genesis for Hindocha’s work emerges from a simple and well-established reality: the mere fact that mobile devices are increasingly used for payment and online banking means that criminals will increasingly design tools to steal payment and other sensitive data from them.
Hindocha explained that one of the central components of widely deployed, desktop-targeting financial malware is keylogging software. In a sense, he merely waondered if keyloggers are on the precipice of becoming as much of a nuisance for mobile users as they currently are for desktop and laptop users. In order to determine this, he needed to know if he could isolate the critical aspects of banking malware and use them to target banking applications on alternative, in this case mobile, operating systems.
Hindocha explained that there are already a number of mobile keylogging utilities, particularly for Android. However, mobile keyloggers are different from Windows-specific ones in that a Windows keylogger quite simply collects every keystroke entered by the user. On the other hand, mobile application developers have the option of creating custom keyboards for their apps. Because of this, Hindocha reasoned that a dynamic mobile banking threat would need to make use of screen-grabs as well as keyloggers.
“If you know the X and Y coordinates of where the user is touching the screen and you know what they are looking at,” Hindocha said, “then basically you see everything the user is seeing and you get all the data the user is inputting.”
The risk this attack poses toward users of devices that are not jailbroken is minimal, but anyone who has rooted a jailbroken device is at risk. It’s possible that a person can be attacked, Hindocha claims, but it’s unlikely to become widespread.
“I don’t think it is viable to infect 100,000 people with this, because what you are getting out of it is X and Y coordinates of where someone touched the screen,” he said. “You can in most instances combine that with screenshots. It’s difficult to do any type of data harvesting on large amounts of data when all you’re looking at are key-strokes and touch coordinates and pictures.”
In other words, it’s more likely that this sort of malware or threat would be deployed in a highly targeted manner, seeking to pilfer information from individuals or companies.
While Hindocha initially believed that screen-grabs were an integral part of his proof-of-concept, he came to realize that he could discern all sorts of information with only the keystrokes as well. For example, he said, if no one touches the screen for an hour, and then logging software picks up between four and eight screen-touches, you can assume the user has just entered the access PIN. More than 20 touches apparently indicates that a user is typing something. Between four and fifteen may indicate a password is being entered. Peripheral touches likely indicate that the user is playing a game. A deeper examination of screen-touching patterns would likely reveal more useful information collected by the keylogger.
Again, Hindocha’s research pertains only to rooted devices. Therefore there really isn’t much that the vendors – Apple and Google – can do to mitigate this sort of attack. He did note however that Apple already has safeguards in place to prevent this from occurring. Google though, Hindocha claims, often trades security for functionality.
“The price of functionality is security in many, many cases,” Hindocha said, mirroring a widely held sentiment. “And I think that it is a difficult balance for [Google]. They want to provide a lot of functionality but at the same time they want to give you security. So I think that there are choices that they have made that have resulted in this being possible. I think they could make the choices differently and that would have a different result but there would be a cost in terms of functionality.”
The good thing about bringing this research to light, Hindocha went on, is that companies with high security requirements are aware of this sort of threat. They can implement safeguards to try and protect their data by actively seeking out vulnerable and infected machines and by detecting certain patterns regarding where network data is going.
“There are things that can be done,” he said. “I don’t think we should rely on Apple or Google to fix them.”
Hindocha also expressed concern that his proof-of-concept could be used to target special platforms, like the mobile-based point-of-sale systems that are increasingly deployed at retail locations.
To be clear, Hindocha’s attack is theoretically possible, albeit far more difficult on non-rooted Android devices. In the case of a standard operating system build, in order to pilfer screen-grabs in addition to keystrokes, the Android device would need to be plugged into a computer, where the screen-grabs would be uploaded. The attacker would then need to locate the folder containing the grabs and steal them from there.
Hindocha’s RSA presentation, in which he’ll detail the finer, technical aspects of his research, is slotted for Feb. 25 at 8 a.m.