Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Proof-of-Concept Malware Captures Every Tap On Smartphones Or Tablets

Soulskill posted about 7 months ago | from the keyloggers-for-the-mobile-consumer dept.

Portables 39

DavidGilbert99 writes: "Keylogging has been a big component of most malware in recent years, but with the advent of touch as the interface of choice on smartphones, tablets and — increasingly — laptops, it has been getting harder for cyber-criminals to know what you are doing. A researcher has developed a proof-of-concept piece of malware which is able to capture everything you are doing on your touch devices, from where you touch the screen to what is being displayed."

cancel ×

39 comments

Sorry! There are no comments related to the filter you selected.

This is actually quite scary. (5, Funny)

Anonymous Coward | about 7 months ago | (#46124269)

I have to admit, I never considered this to be an issue. Now I'm quite scared by this revelation. So when I lay my cock across my iPad, are you telling me that criminals could accurately determine its length and girth? That makes me feel very, very uncomfortable!

Re:This is actually quite scary. (-1)

Anonymous Coward | about 7 months ago | (#46124443)

It sounds like you just need some cock enlargement pills. Then you won't have to worry about having a small dick when you whip it out across your fruity tablet.

PLEASE STOP FORCING US TO /. BETA! (-1)

Anonymous Coward | about 7 months ago | (#46124311)

HOLY FUCK! I've just been forced to the shitty, rotten Slashdot beta site once again. I absolutely hate when this happens, and it sure happens a lot!

The nobeta=1 "fix" isn't even working for me now. Good lord, please tell me that the Slashdot beta site hasn't finally gone live. I sure hope that is not the case. Please, somebody confirm that it isn't.

This Slashdot beta site is just so bad. It looks and works worse than the existing site, which wasn't exactly good to begin with. Now it's damn near impossible to read the discussion, and I've had a hell of a time even just trying to get this comment submitted.

Cancel the Slashdot beta project! Throw the code out! This awful beta site cannot be saved. There is no value to it. Please, get rid of it.

Re:PLEASE STOP FORCING US TO /. BETA! (0)

Anonymous Coward | about 7 months ago | (#46124323)

I was 'forced' into the /. Beta page as well, however nobeta=1 is working for me.

Personally, I don't hate the Beta, but I prefer classic /. without all the big fancy pictures.

Re:PLEASE STOP FORCING US TO /. BETA! (1)

Anonymous Coward | about 7 months ago | (#46124433)

> I've just been forced to the shitty, rotten Slashdot beta

Bullshit. You just posted so you are not on the Beta. Posting has been broken on it for several weeks.

LOL (0)

Anonymous Coward | about 7 months ago | (#46124595)

LOL! Posting works fine from the beta site. I know, because I'm unfortunately doing so right now, and wish with all my heart that I was not. But I do think it's really funny that your comment had been modded up to +3, Insightful even though it isn't correct. Enough mods actually think that the beta site is so broken that they'd mod you up so highly! LOL! But seriously folks, this beta site really is the dumps. If this goes live, Slashdot is going to be a userless site just like Digg.

Re:LOL (0)

Anonymous Coward | about 7 months ago | (#46124707)

> +3, Insightful

I check my post every few minutes since I first posted it, and the highest I've seen is a +1. Maybe the Beta site is broken again.

Re:PLEASE STOP FORCING US TO /. BETA! (0)

Anonymous Coward | about 7 months ago | (#46127319)

You could always replace the ord beta for www in the url. Seems to work for me when /. forces the all-new poo-crap white-space on me...

Re:PLEASE STOP FORCING US TO /. BETA! (0)

Anonymous Coward | about 7 months ago | (#46128693)

http://slashdot.org/?nobeta=1

Re:PLEASE STOP FORCING US TO /. BETA! (0)

Anonymous Coward | about 7 months ago | (#46124931)

You know, I log in with a user account and use the old fashioned (90's era) look and feel. Maybe you should try it.

No valid distribution method... (1)

Kenja (541830) | about 7 months ago | (#46124327)

The article even says it would be unlikely to pass the various store security checks. So the moral still remains to not install software from an unknown and untrusted source. This is more or less a universal truism regardless of platform.

Re:No valid distribution method... (2, Informative)

sunderland56 (621843) | about 7 months ago | (#46124413)

There are massive problems [technologyreview.com] with the Apple store security process; I'm sure that Google's and Amazon's are no better.

Re:No valid distribution method... (2)

Anubis IV (1279820) | about 7 months ago | (#46124739)

It is good to shine the light on stuff like that, but let's be sure we keep the scale of the problem in context [techcrunch.com] , since referring to it as a "massive problem" is quite a bit of an overstatement. Moreover, the connotation involved in the comparison with Google and Amazon suggests a false equivalency, when the fact is that one of them is suffering a malware incidence rate that is over two orders of magnitude greater than the one with the lowest rate (which, when you look at the raw numbers, isn't actually that bad, but they're still not in the same vicinity as each other by any stretch of the imagination).

A single proof of concept that's already been addressed (according to your source) and has yet to be seen in the wild beyond that initial research experiment is a negligible concern, not a massive one. It's worth sharing and worth calling Apple to task on, but let's not overstate the issue.

Re:No valid distribution method... (1)

warm_warmer (3029441) | about 7 months ago | (#46125639)

Meanwhile, you can continue to install apps like those made by Silent Circle and pretend like you're having private conversations with people with phones that are apparently easy to complete own [slashdot.org] .

Re:No valid distribution method... (1)

Anubis IV (1279820) | about 7 months ago | (#46125843)

You neglected to mention the method by which they were owned. The NSA required physical access to the devices, and the attack, based on the details that leaked, was little more than jailbreaking the iPhone so that they could install a daemon that phoned home periodically. It also wasn't confirmed as working on anything after the iPhone 3G, which is significant, since the 3GS was when Apple introduced hardware-level encryption on their devices, though I'm guessing that's simply because the report was old, rather than because the attack wasn't effective. The same form of attack was also confirmed against Android (and Blackberry) at the time that these reports regarding the iPhone got out, but the news sites pretty much glossed over that fact.

Anyone here on Slashdot should already know that if you compromise physical access, you've compromised the device. The NSA's attack was not a remote one, and jailbreaking/rooting is a common feature on all smartphones today, so this attack was hardly novel or fear-inspiring. The only thing worrying about it was the way that they gained physical access, which included the interception of packages that were en route, unwrapping them, tampering with them, then resealing them and sending them on their way. That, to me, was more worrying than the attack itself, since if the NSA couldn't figure out how to root my phone and install whatever they felt like if I gave them physical access, I'd call their technical competency into question.

Re:No valid distribution method... (1)

warm_warmer (3029441) | about 7 months ago | (#46126179)

In the particular case linked above, yes, the NSA required physical access to the device. However, the article noted that "a remote version of the exploit is also in the works."

Regardless, there is ample attack area for someone determined to get into a phone (or your computer, or just about any connected device really), and the government pays big money to find exploits before they're publicly known [fastcompany.com] to do just that.

I would be very hesitant about claiming that the NSA couldn't figure out how to root the phone - it likely was just the easiest way for this particular program.

Re:No valid distribution method... (1)

Anubis IV (1279820) | about 7 months ago | (#46126213)

I'd agree. And, in fact, shortly after the date of that report, there was indeed a remote jailbreaking utility that was released, which had massive security implications. Apple has since closed that hole and no further ones have been publicly disclosed, but, as you said, the government pays good money for those sorts of exploits, so blanket statements that they don't exist should always be taken with a heaping grain of salt.

Re:No valid distribution method... (0)

Anonymous Coward | about 7 months ago | (#46125427)

Did you read TFA?

This technique doesn’t work on non-jailbroken iOS devices.you know, like most of them.
Sure, the authors thinks it could work, but obviously couldn’t actually get it to work himself.

So, even if there are “massive problems” in Apple’s store review process, the 99%+ of iOS users who didn’t opt to neuter their devices into having no on-device security are unaffected.

Android, on the other hand, is affected on 100% of their devices because both their app distribution and on-device security model suck.

Re:No valid distribution method... (2)

Anubis IV (1279820) | about 7 months ago | (#46124515)

It'd be easy to slip it in as an update to an existing piece of software, similar to the recent reports of Chrome extensions being purchased by companies that then turn them, via later updates, into advertising delivery vehicles. Android and jailbroken iOS are both vulnerable to this form of attack due to the forms of processing that they allow in the background, and the fact is, delivering it is not particularly difficult, since malware has already found its way onto these platforms (native iOS isn't as affected, since even though the malware may be able to be delivered to it, the way it handles background processes would neuter the attack itself).

Really, all that needs to be done by a malware developer beyond what's already been done is add some OCR capabilities to the malware so that it can identify what key it is that you're hitting, enabling it to know exactly what your username and password are. Or, better yet, somehow tie into the input system directly so that it can identify precisely what textual inputs are being provided, without any need for image recognition or processing.

Re:No valid distribution method... (2)

bonehead (6382) | about 7 months ago | (#46124691)

add some OCR capabilities to the malware so that it can identify what key it is that you're hitting,

Um... You either don't understand what OCR is, or you're proposing a complex solution to a simple problem.

Re:No valid distribution method... (1)

Zynder (2773551) | about 7 months ago | (#46124729)

He's future proofing obviously. The OCR software will be ready and waiting when Google Glass goes live! BWAHAHAHHAHAHHAHA! *ahem* excuse me :D

Re:No valid distribution method... (1)

Anubis IV (1279820) | about 7 months ago | (#46124865)

If you read the article, the researcher's attack relies on sending screenshots back to the attacker, along with the coordinates for where the touch took place on the screen. He provided no means for automating the process of identifying which character appears at the touched location, so OCR seems to be exactly the correct tool for the job, given that it would allow an attacker to automate the process of extracting keypresses from the provided data. That said, I obviously agree that it would be a complex solution to a simple problem, since I already suggested a simpler way to address the issue in the very next sentence after when I mentioned OCR.

Why you immediately jumped to thinking that I don't know what OCR is or that I'm advising it as an ideal solution is beyond me.

Re:No valid distribution method... (1)

euroq (1818100) | about 7 months ago | (#46127193)

This article is bullshit. Someone wrote an Android app that stores information. That's not malware, that's an app. Malware would be doing it via holes in the system that are unprotected.

SLASHDOT BETA: is there a cure? (-1)

Anonymous Coward | about 7 months ago | (#46124329)

it pops up like herpes sores and I'm tired of it!

I got sent to the beta site again, and I hate it. (-1)

Anonymous Coward | about 7 months ago | (#46124367)

Why do I keep getting sent to this really awful beta site? It's really no good. Why are there so many large and irrelevant images? Why is there so much white space and gray space? Why are the story titles in such a large font but the story content's font is so small? Why is there so much dark gray text on a light gray background, with very little contrast between the two? Why is there so much extra space around each discussion comment, making fewer comments show at once, and forcing a whole lot more scrolling to read them all? Why is the comment font so tiny? Why is the post ranking in such a light and hard-to-read shade of gray?

Everything about this new beta site is just bad bad bad! It's a lot harder to use than the existing site. I really wish I wasn't forced into using this beta site like every other time I visit Slashdot. If this keeps happening I think I'm just going to leave and not come back. I can get this same news at HN or even reddit, usually days earlier.

Re:I got sent to the beta site again, and I hate i (1)

Anachragnome (1008495) | about 7 months ago | (#46124465)

http://noscript.net/ [noscript.net]

etch-a-sketch (1)

nurb432 (527695) | about 7 months ago | (#46124411)

Now, try to log my actions...i dare you

Re:etch-a-sketch (0)

Anonymous Coward | about 7 months ago | (#46124471)

I see that you are drawing a penis on your etch-a-sketch... and then touching it.

mod do3n (-1)

Anonymous Coward | about 7 months ago | (#46124455)

dabblers. In truTh,

One potential market for this software (2)

Dachannien (617929) | about 7 months ago | (#46124463)

This will be great news for all those people who think they aren't getting nearly enough information through Facebook about their friends' Candy Crush exploits.

How is this surprising ? (1)

Anonymous Coward | about 7 months ago | (#46124479)

Apps like VNC Server have been available on both Android and jail broken iOS. Getting the image of the screen, saving it on tap/touch, and sending it off elsewhere doesn't seem like it would need a proof of concept.

Proof-of-concept malware used to infect Android (1)

DTentilhao (3484023) | about 7 months ago | (#46124685)

"What Hindocha has produced is a proof-of-concept piece of malware which can be used to infect Android smartphones and tablets as well as jailbroken iOS devices"

How does this malware get onto the device, without the user going to a malicious website, downloading and install the malware.

Proof of Concept (1)

Nerdfest (867930) | about 7 months ago | (#46125391)

I would guess that this could be snuck into some other appliction, possibly even through the Apple store if someone is very clever. It's just a proof of concept so far and Appple does not allow side-loading, while Android does, as do jailbroken devices.

Nothing new (1)

SSpade (549608) | about 7 months ago | (#46124723)

This approach - recording an image around each click - has been used by malware that attacks the on-screen keyboards used by some online banking systems for several years. (They use the online keyboards as an attempt to avoid keyboard sniffers getting account numbers).

This does is it on (insecure) mobile OSes rather than desktop OSes, but seems to be otherwise identical.

Re:Nothing new (0)

Anonymous Coward | about 7 months ago | (#46125109)

Private API's.
No such thing they are lurking and availabe to all - but they are a breach of any security model - as old as the PEEK and POKE commands on elderly TRS-80's. Add to the fact that drivers are full of bugs and their owners are too cheap to re-write them using
updated string commands and range-checking. A perfect storm of insecurity, in the name of holy profit.

Video card DMA hacks and private API's to get them into diagnostic mode have also been know about for ages - which is why open source is a bit behind - because the companies cheated by driver shortcuts, as did Microsoft in the DOS 3.1 era.

Fast forward to today. Nearly everything has a cpu, with ram and eeprom, able and ready to stash keystrokes. Logic analysers are cheap. However the skill of the engineers and systems programmers is way down from what it used to be.

A paper and pen has no cpu - and is safe

I need this software, ASK SLASHDOT (0)

Anonymous Coward | about 7 months ago | (#46124995)

Ok guys. I post here a lot but the embarrassment of the situation has forced me to post AC. THIS IS NOT A TROLL OR JOKE. It may sounds like it though, I apologize.

I need to know the names and/or locations of the Android software that does stuff like this. The kind that remotely turns on the cams and mic and all that kind of thing. My cursory attempt at Googling has turned up nothing since I imagine those links are scoured away by law enforcement and/or Google. I have no malicious intent though. Here's the embarrassing part: My wife fucks me maybe twice a month. I hate it. I'd like it at least twice a week. Come to find out there's a correlation to days that when she masturbates, she won't have sex with me. She ALWAYS denies masturbating at all. I guess it embarrasses her or something, I don't know. She is usually very predictable and so this has allowed me for the past couple of years to keep tabs of when she rubs one out. I do this by keeping track of the locations of her 2 sex toys, marking/memorizing their positions so I know if they have been moved, keeping a count of battery consumption, and tracking when she looks at porn on her browsers. I even had that iSpy software set to trigger a recording off of my webcam when porn surfing was detected. However, we moved about 6 months ago and the new place is all setup differently and she's had to relearn a new jerking off routine. I can no longer use iSpy unless I want to start buying hidden cams in alarm clocks. She also learned what the Private Browsing mode of Firefox was about so I had to swap to logging traffic at the router. Turns out though that her new preferred jerk off spot is in a room that has no computers so she's switched to watching her porn over her smartphone or tablet. The problem with that is that she often turns off the wifi and when she does, I obviously can't log web traffic. So that is what I'd like the software to do: log web traffic and relay it to me, and allow me to watch her smack the monkey.

I'm asking YOU, fellow /. perverts, what solutions have you come up with to watch your significant others masturbate? Just throw me out some names of software and perhaps where I could find it. I know I can't be the only nerd on this site that has voyeuristic tendencies XD!

Re: I need this software, ASK SLASHDOT (0)

Anonymous Coward | about 7 months ago | (#46126597)

I'm disappointed guys. Not even a "dude she's totally cheating on you cause you have a little dick" c'mon! help a brotha out here.

NSA will be all over this (1)

surfdaddy (930829) | about 7 months ago | (#46125211)

Anything they can gather data on, they will. That's their new M.O. and the nuisance of things like "process" and "warrants" and "the Constitution" go out the window.

Re:NSA will be all over this (0)

Anonymous Coward | about 7 months ago | (#46125677)

Yeeeeeahhh. I was wondering when the first fucktard was going to bring in the NSA. Got any clever Snowden or bitcoin statements you want to add as well?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>