Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Touchlogging Part 2 - Android

This is part two in my Touchlogging series, you can find part one here.

In part one, I wrote a little bit about the background and how to intercept touch events on jailbroken iOS. This part will focus on Android. I do recommend that you start with part one even if you are not interested in iOS.

Let's start with rooted Android devices. How can X and Y coordinates of touch events be captured? As it turns out, we can open a shell and type getevent: that's it, mission accomplished. What getevent is doing is reading from /dev/input, so we can just as well read the information from there directly. With root access, we can use getevent or read from /dev/input directly on the device.

What if the device is not rooted? We can actually still use getevent, but it has to be triggered via an ADB shell, which in turn requires USB debugging to be enabled on the device. This is possible because the rights are elevated when accessing the device through ADB.

Now we know how to capture events on rooted android devices and non-rooted android through ADB, but can we capture events directly on non-rooted android devices? This also turns out to be possible with some caveats. There are two ways that I found. The first one is live wallpapers. Basically, all touch events that occur when the live wallpaper is visible are sent to the live wallpaper. This in itself is useful for capturing information entered into widgets. However, additionally, if you know the layout of the screen of the victim, it may be possible to combine this with other attacks, such as by overlaying the screen to get user input.

This brings me right into the next way I found for capturing touch events on non-rooted Android devices; overlay the screen. Using TYPE_SYSTEM_ALERT, it is possible to create screen overlays. The rule for the overlays appear to be as follows (I say "appear to be" as this is based on tests I have done myself). If the width of the overlay is 30 pixels or less, the background application gets the events unless the overlay itself is touched. If it is touched, the overlay gets the touch events and not the background application. If an attacker wants to use screen overlays to capture input, the reasonable options are either to use a full screen overlay and get all events, or put small overlays, 30px or less, in specific positions, and do something when they are touched.

Alternatively, if you are running one of the devices that leave /dev/input world readable, then the attacker simply has to read some files to get all touch events. In fact, the attacker would get all events, not just touch events.

If you are trying to defend against touchlogging attacks, here are some things that can be done.

  • Check if USB debugging is enabled (mainly applicable in a BYOD setting).
    • Do not allow this to be enabled unless the user is a developer, as it serves no purpose for standard users.
  • Check all installed apps for the permission TYPE_SYSTEM_ALERT, if found, take appropriate action. Do keep in mind that some apps use this permission for legitimate purposes, so just having the permission does not mean its a malicious app.
  • Detect rooted devices. However, I do not think that the best course of action is to block execution on rooted devices, this is a decision that should be taken based on a number of factors. Detecting rooted devices and submitting that information to the backend server is generally a good idea though.
  • If possible, advise users to avoid using live wallpapers.
  • If you are running one of the vulnerable devices, contact the handset manufacturor and ask for a patch. There may already be one available.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo