In association with heise online

02 August 2010, 13:22

Android rootkit demonstrated

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android logo At the DEFCON hacking conference, which ended yesterday, IT security researchers Nicholas Percoco and Christian Papathanasiou demonstrated what they claim is the first rootkit for Android. Their aim was to show how slight the obstacles to the development of a such a rootkit are and how powerful the result can be. Android is Linux-based and desktop Linux rootkits are nothing out of the ordinary. The demo rootkit, dubbed "Mindtrick", is a Loadable Kernel Module (LKM) and can conceal itself from other processes. The demo was included in a DVD given to DEFCON delegates.

The rootkit can gain access to Android devices, either through using unpatched vulnerabilities, or by pretending to be a legitimate app. Two other researchers recently showed that it's possible to spread infected apps to thousands of devices. Once installed, the rootkit is activated by calling the infected mobile from a specific number. It then establishes a connection to the attacker's computer, which allows the phone to be controlled remotely. As the researchers demonstrated in their talk, this gives the attacker access to the Android phone's SQLite database, allowing them to view, for example, a victim's texts or contacts.

It's also possible to remotely read the device's current GPS coordinates and to make outgoing calls without this being shown on the display. Criminals could make use of the latter by running up costs for expensive sex lines which they in turn operate. According to the researchers, current anti-virus software for Android does not (yet) detect the rootkit.

It is not clear whether Google would be able to disarm such a module using its remote delete function – the deletion process applies to the application level, not the kernel level. According to Percoco, the easiest way to protect against infection via a Loadable Kernel Module would be for smartphone makers to only allow modules digitally signed by the maker. The HTC device used for the demonstration clearly doesn't have this kind of check.

See also:

(Uli Ries)

(Uli Ries / crve)

Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit