Android rootkit demonstrated

At the DEFCON hacking conference, which ended yesterday, IT security researchers Nicholas Percoco and Christian Papathanasiou demonstrated what they claim is the first rootkitfor Android. Their aim was to show how slight the obstacles to the development of a such a rootkit are and how powerful the result can be. Android is Linux-based and desktop Linux rootkits are nothing out of the ordinary. The demo rootkit, dubbed “Mindtrick”, is a Loadable Kernel Module (LKM) and can conceal itself from other processes. The demo was included in a DVD given to DEFCON delegates.

The rootkit can gain access to Android devices, either through using unpatched vulnerabilities, or by pretending to be a legitimate app. Two other researchers recently showed that it’s possible to spread infected apps to thousands of devices. Once installed, the rootkit is activated by calling the infected mobile from a specific number. It then establishes a connection to the attacker’s computer, which allows the phone to be controlled remotely. As the researchers demonstrated in their talk, this gives the attacker access to the Android phone’s SQLite database, allowing them to view, for example, a victim’s texts or contacts.

It’s also possible to remotely read the device’s current GPS coordinates and to make outgoing calls without this being shown on the display. Criminals could make use of the latter by running up costs for expensive sex lines which they in turn operate. According to the researchers, current anti-virus software for Android does not (yet) detect the rootkit.

It is not clear whether Google would be able to disarm such a module using its remote delete function – the deletion process applies to the application level, not the kernel level. According to Percoco, the easiest way to protect against infection via a Loadable Kernel Module would be for smartphone makers to only allow modules digitally signed by the maker. The HTC device used for the demonstration clearly doesn’t have this kind of check.

Source.

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: