Using Hover to Compromise the Confidentiality of User Input on Android

TL;DR

This paper demonstrates that the hover (floating touch) feature on Android smartphones can be exploited by malicious apps with SYSTEM_ALERT_WINDOW permission to record all user input, compromising privacy and security.

Contribution

It introduces Hoover, a proof-of-concept attack that exploits hover technology to accurately capture user input, highlighting a new security vulnerability in Android devices.

Findings

Hoover can estimate finger clicks within 100 pixels and keyboard input with 79% accuracy.

Stylus input can be captured with 2-pixel accuracy and 98% keyboard input accuracy.

The attack remains effective despite attempts to mitigate it through permission restrictions.

Abstract

We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by any Android application running with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input into other applications. Leveraging this attack, a malicious application running on the system is therefore able to profile user's behavior, capture sensitive input such as passwords and PINs as well as record all user's social interactions. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the system background and records all input to foreground applications. We evaluated Hoover with 40 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.