Computer security researchers from the Ben-Gurion University of the Negev report a new malware attack via replacement touchscreens. The experts report that it is possible for criminals to abuse repair services and embed malicious code using this technique.
Replacement Touchscreens Lead to Smartphones Infections
A new virus infection route has been identified by experts from the Ben-Gurion University of the Negev. It uses replacement hardware touchscreens as the route of intrusions. All of this is detailed in a paper titled “Shattered Trust: When Replacement Smartphone Components Attack”. The researchers outline that they have been able to demonstrate the attacks using simulations involving two popular Android devices ‒ the Huawei Nexus 6P and the LG G Pad 7.0.
The cause of the attacks is related to the fact that the phone touchscreen and other hardware components are made by OEM manufacturers that also provide their own source code. Each device uses minor tweaks and adjustments to account for the differences in the software implementations.
This allows it possible for the device manufacturers to include patches that can tweak the kernel at a core level. A key insight reveals that the device drivers involved exist inside the phone’s trust boundary.
Replacement Touchscreens Able to Attack Smartphones
Malicious software involved in the operation of the replacement touchscreens leads to dangerous fileless attack. Such infections cannot be detected by anti-virus software and leave no lasting footprint. One of the major advantages of such campaigns is the fact that the touchscreens are an essential component and their driver code is needed at the early stage of boot-up. Even firmware updates and factory resets cannot guard against infected parts.
There are two attack type that can be used as part of a large-scale attack:
- Touch Injection Attack ‒ This attack involves the use of eavesdropping on the users touch events and injecting spoofed commands into the communications bus. The devised example is able to generate events at a rate of approximately 60 taps per seconds.
- Buffer Overflow Attack ‒ This is an attack that attempts to exploit found vulnerabilities in the touch controller to gain arbitrary code execution capabilities.
As a result of their actions the attacks can lead to several malicious results. One of them is the ability to impersonate users by injecting touch events into the communications bus. This allows the hackers to manipulate the commands stream and installing arbitrary software, grant permissions or change device settings.
In addition the attacks make it possible for the criminals to harvest sensitive data and alter security-related settings such as passwords and lock patterns. The fact that the code is injected deep into the operating system allows it to exploit other vulnerabilitie and gain kernel execution capabilities.
Consequences of the Smartphones Touchscreens Replacement Attacks
As described in the previous section malware-infected replacement touchscreens are able to cause serious security and privacy concerns. It is known that in practice it is impossible to detect infections as the malware code executes on a very low level that cannot be detected even by advanced anti-virus software. This allows the criminals to infiltrate a lot of devices just by tweaking the device driver code. This is possible by initiating a network attack against repair shops, manufacturers or other places where component installations are done.
The experts were able to demonstrate the following types of attack in an example simulation:
- Malicious Software Installation ‒ The criminals can infiltrate the devices by installing their own software to the infected devices.
- Screenshots and Camera Abuse ‒ Screenshots of the user’s screens and activities, as well as camera photos can be taken and sent to the operators vi email or other means.
- URL Replacement with Counterfeit Links ‒ Malicious links can be inserted into the place of legitimate sites. This is done either via scripts or other methods.
- Harvest Log Files ‒ The malware instances can extract the system log files generated on the compromised devices.
- Complete Device Infiltration ‒ This allows the malware to completely overtake the target device and plant itself deep in the system components.
The security experts advise the system designers to implement the components drivers outside the phone’s trust boundary. This can prevent malware infections of this type. Unfortunately as the demonstrated attacks rely on hardware components with specific deep-level code any malware instances cannot be reliably detected at this time.
One of the ways of infiltrating the code is through the workstation computers of technicians. This is the reason why we recommend that everyone use a quality anti-malware utility. It can defend against all kinds of viruses that can carry modules that infiltrate systems and may endanger the repair machines with such instances.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: