Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Touchlogging Part 3 - Final Thoughts

This is the third and final part on the subject of Touchlogging. I do recommend reading part one and part two before reading this final part.

The previous parts described the technical details of the touchlogging attacks. In this part, I will focus a little more on the softer parts.

First, I wanted to discuss the issue of screenshots. Grabbing screenshots is quite easy and overlaying the coordinates on the screenshot shows exactly what the user is inputing and where. However, since screenshots are quite large in comparison with X and Y coordinates, how far can you get without screenshots?

When I started this work, I thought screenshots were necessary. However, the longer the project went on, the more I realized that the screenshots were not necessary. There is a lot of logic that can be applied to figure out what a user is doing, but the easiest way of understanding this is by imagining what it looks like from the other side--when you use your touchphone. Imagine your touchphone is transparent, and someone is watching your fingers move on the screen as you use the phone. What would it look like when you are playing your favorite game? How about when you are writing an email, checking your bank account or browsing the web? If you try to picture yourself doing these things, you can see the patterns emerging and patterns can be detected. Therefore, as it turns out, the screenshots are not the most important part (although they do help of course).

I wanted to continue on the subject of risk. As an application developer, is touchlogging something to worry about? Well, the short answer is--not for most people. There are some that need to implement protection against this attack though. Any app that takes valuable input through the touchscreen should consider this attack and implement relevant safeguards.

Protecting against the attack is possible, but not trivial. There are challenges both on iOS and Android, and good defences will require both time, effort and knowledge. You may be tempted, especially on iOS, to block execution on jailbroken devices. This, however, is very unlikely to stop any determined attacker. And as FireEye showed, the attack does not always require a jailbroken device. Any application with high security requirements should use a defence in-depth strategy, so relying on root/jailbreak detection alone is not a good option.

I mentioned a few strategies to protect against this attack in the previous parts, but on Android, it is challenging and the only way I know that works is monitoring the running environment and automatically making decisions based on the collected information. Applying this type of defensive strategy on Android will not only protect against touchlogging attacks, but also a wide variety of other attacks and should be part of the defence in-depth strategy.

In a BYOD setting, it is more difficult to protect against. I think that while the risk of this attack being used is very low, it is possible that it is used as part of targetted attacks against specific individuals or companies. Following the recommendations from my previous articles on the topic can help reduce the risk.

In closing, I want to say that I worked on this project for over nine months. It was not very focused. It has been one of those background projects that I kept going back to when I had time. Several people have been part of the project, but the original idea was developed by Mike,Nathan and I.Robert Bengtsson is the one who came up with the idea of capturing touch coordinates through live wallpapers.

Please use the comment box if you have any questions or comments!

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More