Trustwave Demonstrates Malware That Logs Touchscreen Swipes To Record Your PIN

[InfoSec News <alerts () infosecnews org>]

http://www.forbes.com/sites/tamlinmagee/2014/01/27/trustwave-demonstrates-malware-that-logs-touchscreen-swipes-to-record-your-pin/

By Tamlin Magee
Forbes.com
1/27/2014

Neal Hindocha, a senior security consultant for Trustwave, has built 
proof-of-concept 'screenlogging' malware that monitors finger swipes on 
smart devices in combination with taking screenshots, painting a picture 
of exactly how the user is interacting with their phone or tablet.

Hindocha’s concept malware logs the X and Y coordinates of any swipe or 
touch. Speaking with Forbes, Hincocha says it wasn’t much hassle to get 
the code running on jailbroken iOS and rooted Android devices, and that 
it’s possible to get it working on regular Android smartphones, provided 
they are plugged into a PC -- for example, while charging by USB.

Trustwave was examining financial malware on the Windows platform and 
wanted to see if similar methods could be applied to mobile. Keylogging 
has been a typical component for financial Windows malware, and there are 
apps that already log keyboard inputs on smart devices. But Hindocha says 
the finance industry is moving away from using typical keyboard inputs, 
whether it is with a PIN code or another kind of password.

Recording touch screen coordinates "has a certain value in itself," 
Hindocha says. "If you're monitoring all touch events and the phone hasn't 
been touched for at least one hour, then you get a minimum of four touch 
events, you can assume that is a PIN code being entered."

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/