16

I need to clarify my question. I'm wondering if there are any apps for smartphone that can log each 'keystroke' (i.e. key pressed on touchscreen) that a user does. Performing a google search brings up some links to sites like this and this. These apps do not record keystrokes, they 'only' forward sms messages, call logs, contacts and so on to the attacker. Although they call themselves keylogger, that's not what I mean.

Are 'keyloggers' impossible due to the fact that there are no 'real' keystrokes to log? Is this kind of attack simply not possible on touchscreens?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Pits
  • 169
  • 1
  • 1
  • 3

8 Answers8

13

Carrier IQ is a rootkit previously installed by mobile phone operators on Android and on iOS 4 iPhones. It is capable of recording every keystroke on your virtual keyboard. See What risk does Carrier IQ pose, exactly?

this.josh
  • 8,843
  • 2
  • 29
  • 51
6

hehe, perhaps you're right. When there are no keys, there can't be any key loggers. Let's call it swipelogger™.

More seriously though, I don't think there's much of a technical barrier for malware to detect user-input, be it via a keyboard, mouse, touch screen or brain alpha-waves. As long as there's input, there's a chance to intercept it.

700 Software
  • 13,897
  • 3
  • 53
  • 82
Yoav Aner
  • 5,329
  • 3
  • 25
  • 37
  • 1
    Agree, plus a simple search on Google would return the information confirming that they do exist. – blunders Feb 02 '12 at 20:09
  • @blunders: I'm wondering what you found using google. All I found was some crap about sms surveillance, phone call log monitoring and so on... – Pits Feb 02 '12 at 20:18
  • @Pits: Seems like you're saying you know they exist, which conflicts with "I haven't found any clues that keyloggers are existing on smartphone platforms" in my opinion. If you're talking about if a feature, or set of features, then you should clearly state that in your question. – blunders Feb 02 '12 at 21:25
  • @Pits Perhaps you should clarify your question then? i.e. ask what specific keyloggers were found on smartphones so far, or something along those lines... Your question as it stands right now is whether such an attack is impossible because there are no keys. – Yoav Aner Feb 02 '12 at 21:45
  • p.s. perhaps it's not the best link, and I'm by no means trying to promote this, but 2nd link on google search produced a [link to a site](http://www.phonespysoftware.com/howitworks.html) that sells these kind of keyloggers, boasting to support virtually all smartphone platforms. – Yoav Aner Feb 02 '12 at 21:48
  • In a default configuration, Android apps are sandboxed from one another. So, even if a malware(app) is installed, how does it break this sandbox and gain such privileges required to perform such surveillance? – Mayank Singh Aug 23 '15 at 12:43
5

Yes. You could build a key logger app on a smartphone. One example is Carrier IQ.

Android does have protections to make it harder for an attacker to create and distribute a keylogger app. On Android, an everyday app cannot log the keystrokes of all other apps; there are some additional barriers to being a keylogger. However, it is possible: there are ways to build a keylogger app. Here are three ways it can happen:

  • Custom input method. On Android, an app can define a custom input method (aka an IME). The user can select which input method they want to use, and this input method will be used across the entire system, for every app. This allows, for instance, the Swype app to provide a custom keyboard.

    A keylogger could provide a custom input method and ask the user to enable it via the IME user interface. This custom input method could secretly keep a copy of all keys entered. Thus, any Android app could be a keylogger, if you authorize it to serve as a replacement input method. However, the user does have to approve this via a special menu (a standard Android permission is not enough; the user has to actively go to "Settings >> Locale and Text >> Select input method" and select the new input method).

  • Pre-installed app. The carrier or phone manufacturer could provide a pre-installed app that has the ability to snoop on all keystrokes.

  • Signed app. I'm not sure, but I think a signed app might have the ability to snoop on all keystrokes as well. However, Google or the carrier would have to sign the app before you could install it (or you'd have to sideload the app and ignore the scary warning messages that are shown to you).

D.W.
  • 98,860
  • 33
  • 271
  • 588
2

Well, since smartphones are relatively new, we can imagine that the underground community will hold tightly to this code (unless you will pay a nice fee). Although I can't give you a link to a working smartphone keylogger, there was a recent WikiLeaks disclosure of national security agencies and police agencies trading the recent advancements in survelliance technology. Among the quotes, "Surveillance companies like SS8 in the U.S., Hacking Team in Italy and Vupen in France manufacture viruses (Trojans) that hijack individual computers and phones (including iPhones, Blackberries and Androids), take over the device, record its every use, movement, and even the sights and sounds of the room it is in."

Also, since there are known variants of malware that can detect the depression of keys on an on-screen keyboard, it would be trivial for an attacker to log the coordinates of the touch screen to yield the same information on a smartphone.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
RPM
  • 21
  • 1
2

Yes you can record keystrokes by user on android device simply by reverse engineering the keyboard app . http://www.android-app-development.ie/blog/2013/03/06/inserting-keylogger-code-in-android-swiftkey-using-apktool/ Here is one example where attacker attaches malware to the famous swiftkey keyboard using apktool

Sigma
  • 121
  • 3
1

Here is an example, however please note that the iPhone would need to be jailbroken for you to install the app. I also have had no experience with this app, but at least it may be a starting point.

iPhone - http://ikeyguard.com/

As of right now, I can't find anything available for android.

I'm A Person
  • 136
  • 5
0

Stopping android to send keyboard keystrokes:

A scenario for preventing the keyboard on sending would be by using a firewall.

For NON-Rooted phones this ones should do the trick:

NoRoot Firewall >> www.play.google.com/store/apps/details?id=app.greyshirts.firewall

Mobiwol >> www.play.google.com/store/apps/details?id=com.netspark.firewall

In this moment, Mobiwol and NoRoot firewall have different feautures, NoRoot Firewall has the advantage to "see" in the logs what is wishing to connect to the internet, while Mobiwol has the advantage of blocking "in the mass/batch" and "backgorund/foreground" internet traffic blocking.

I WONDER IF IT IS LEGAL for Phone Manufactures to implant a such keyboard spyware to send keystrokes to google. In this moment, my phone is sending every thing I type, in SMS, CALLS, BROWSER, GAMES, OFFICE, WORD, and so on to the Google Servers. I wonder why, and maybe I will take some legal action, because the phone is sending info to Google, and I had NOT agreed anywhere this thing.

Guest
  • 11
  • 1
    Spell checker? Anyway, that latter part of your answer is obsolete and smells more of a new question than an answer, could you please [edit] it to only include parts relevant to answering the question presented at the top of this thread? Thanks! – TildalWave Mar 27 '14 at 13:43
0

As you are able to to write your own keyboards for android it could be assumed that a keyboard could be written that functions like a normal keyboard while at the same time logging the input and passing it back to the attacker. Such an application shouldn't be to hard to write.

Sam Aldis
  • 73
  • 7