Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
This is part two in my Touchlogging series, you can find part one here.
In part one, I wrote a little bit about the background and how to intercept touch events on jailbroken iOS. This part will focus on Android. I do recommend that you start with part one even if you are not interested in iOS.
Let's start with rooted Android devices. How can X and Y coordinates of touch events be captured? As it turns out, we can open a shell and type getevent: that's it, mission accomplished. What getevent is doing is reading from /dev/input, so we can just as well read the information from there directly. With root access, we can use getevent or read from /dev/input directly on the device.
What if the device is not rooted? We can actually still use getevent, but it has to be triggered via an ADB shell, which in turn requires USB debugging to be enabled on the device. This is possible because the rights are elevated when accessing the device through ADB.
Now we know how to capture events on rooted android devices and non-rooted android through ADB, but can we capture events directly on non-rooted android devices? This also turns out to be possible with some caveats. There are two ways that I found. The first one is live wallpapers. Basically, all touch events that occur when the live wallpaper is visible are sent to the live wallpaper. This in itself is useful for capturing information entered into widgets. However, additionally, if you know the layout of the screen of the victim, it may be possible to combine this with other attacks, such as by overlaying the screen to get user input.
This brings me right into the next way I found for capturing touch events on non-rooted Android devices; overlay the screen. Using TYPE_SYSTEM_ALERT, it is possible to create screen overlays. The rule for the overlays appear to be as follows (I say "appear to be" as this is based on tests I have done myself). If the width of the overlay is 30 pixels or less, the background application gets the events unless the overlay itself is touched. If it is touched, the overlay gets the touch events and not the background application. If an attacker wants to use screen overlays to capture input, the reasonable options are either to use a full screen overlay and get all events, or put small overlays, 30px or less, in specific positions, and do something when they are touched.
Alternatively, if you are running one of the devices that leave /dev/input world readable, then the attacker simply has to read some files to get all touch events. In fact, the attacker would get all events, not just touch events.
If you are trying to defend against touchlogging attacks, here are some things that can be done.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.