View article

We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by malicious Android applications to record all touchscreen input into applications system-wide. Leveraging this attack, a malicious application running on the system is able to capture sensitive input such as passwords and PINs, record all user's social interactions, as well as profile user's behavior. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the background and records all input to all foreground applications. We evaluated Hoover with 20 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more …