Get started Bring yourself up to speed with our introductory content.

Mobile keyloggers: Defense measures against mobile keystroke logging

Application security expert Michael Cobb explains how companies can defend themselves against the growing threat of mobile keystroke logging.

Can you please explain how a mobile keylogger differs from a Windows (or other OS) keylogger? Are the defense measures different?

Keystroke logging is a common feature of desktop malware, particularly those targeting online banking credentials and transactions, such as the Zeus banking Trojan. Keylogging software monitors and records every key pressed on an infected computer's keyboard and sends it to a remote location controlled by the attacker so that passwords, credit card details and other valuable information can be extracted.

As people are increasingly using mobile devices for financial transactions and online banking, criminals are starting to focus their efforts on designing malware to steal user credentials and other sensitive data from them. However, smartphones differ from desktops in that they don't rely on a hardware-based keyboard; mobile operating systems use a soft keyboard, which is an on-screen image map. Also, mobile application developers can create a custom keyboard specifically for their own app. This means that a keylogger installed on a mobile device can't simply record the keystrokes entered by the user; the attacker must also capture the X and Y coordinates of the area on the screen the user is touching and combine them with a screen grab in order to deduce what the user is inputting.

Trustwave senior security consultant Neal Hindocha presented a proof-of-concept demonstration at this year's RSA Conference that captured screen grabs, as well as the x and y coordinates of the area on the screen being touched. He was able to beat the security of a virtual keypad used to log into a device. His attack works predominantly on rooted and jailbroken Android and iOS devices because commands can be executed to get the x and y coordinates of any touches that occur on these. FireEye has discovered a similar touchlogging vulnerability in iOS 7 devices that are not jailbroken, while unrooted Android devices are vulnerable to attack if the device is connected via USB to a PC, allowing its storage to be used for save screen grabs. Hindocha also said that hackers could get enough data just from data logs and wouldn't necessarily need screenshots, but that cracking Windows-powered phones is proving to be more difficult in this regard.

This attack methodology is a long way from being viable enough to compromise users on a massive scale, and the risk for users of devices that are not jailbroken is still low. However, enterprises with high security requirements should beef up security awareness so users understand this sort of threat. A targeted attack may look to make use of this strategy because a lot of information can be discerned solely from keystrokes. For example, if no one touches the screen for an hour and then the keylogger detects between four and eight screen touches, the user has probably just entered their access PIN.

Unfortunately, keyloggers are often difficult to detect: An infected device presents little or no outward symptoms of an infection. FireEye urges iPhone users to use the iOS task manager to prevent possible background monitoring, while enterprise networks should protect data by actively monitoring data leaving the network and tracking down infected mobile devices by detecting unusual patterns in data traffic.

Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)

This was last published in July 2014

Dig Deeper on BYOD and mobile device security best practices