PoC keylogger app for smartphones revealed

We are all familiar with keyloggers – software that registers and identifies the keys pressed by a computer user – and its prevalently malicious uses.

One of the ways to avoid keyloggers harvesting that information is to use a virtual keyboard when entering text that you would like to keep private, such as passwords and bank account details.

But, if you thought that fact would keep smartphone users safe from this type of attack, you would be wrong. According to New Scientist, two security researchers from the University of California at Davis have managed to prove that it is possible to create a keylogger for smartphones.

The proof-of-concept app they developed targets Android users, and it “translates” the vibrations caught by the phone’s motions sensors when a user is tapping on the screen into keystrokes.

The app doesn’t have to be visible to the user to work, and the OS does not consider the motion-sensor output as data that needs to be protected, so the app is free to silently register and calculate the keys based on how the phone moves after a key has been pressed.

The app made by the researchers correctly identifies keystrokes in more than 70 percent of cases when the virtual keypad is numerical, so it is expected to be less accurate if the used keyboard is an alphanumerical one – due to smaller keys and the lesser distance between them.

By the same token, keystrokes on virtual keyboards on tablets should be more accurately identified, especially since tablets are bigger and tapping movements would, therefore, be heightened.

It is unknown whether apps like this are already used by criminals – none have been detected yet. The question posed by Symatec software engineer Martin Lee is: “Is it worth the trouble?” As he rightly points out, there are way easier and more accurate ways to get that kind of information – phishing, for example.