Android Rootkit Is Just a Phone Call Away

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

Anti Virus?

[kobaz]

Is there going to be a huge market for antivirus software for cell phones within the next few years?

Re:

[grantek]

Well the Apple way of doing things would just be to yank any app that's discovered to have an active exploit, and maybe remote wipe it from phones, then probably disable any infected phones until the OS is reinstalled. If that works for the masses it could be a nightmare for Richard Stallman, because it'll probably spread from there to the desktop.

Re:

[zuzulo]

VirtualBox on Android. Why not?

Or at least some sort of microkernel based virtualization ... forget about antivirus, firewalls, and all that noise. Just give me a fire and forget OS that is refreshed anew with each power cycle. My cell phone is *supposed* to be an appliance, after all. Keep the data on the network, and refresh the OS from a known good copy every time i turn it on ...

Who am i kidding, there is too much money in OS vulnerabilities for this to ever fly ... ;-)

Re:

[debatem1]

There's two problems with this: first, the difficulty of implementing it- porting an existing system can basically be ruled out by the use of Bionic and the tight performance constraints- and secondly there's the problem where the phone's only defense is to power cycle constantly, which is just as bad as having malware on it in the first place. Neither of these is impossible to overcome, but its hard enough that I decided not to pursue it something like a year ago, and I'm something of a project masochist.

Re:Anti Virus?

[Anonymous Coward]

YM:

Apple's way of checking if an app is valid:

1: Does the app use competing products? Yes, denied.
2: Is the app yet another flashlight or fart app? Approved.
3: Does the app mention Google at all? It's outta here.
4: Does the app do Web browsing? Gone.
5: If it passes all of the previous 4, roll a d6. 1-4, approved, 4-6, denied for some random reason even though other apps got approved with the same issues.

Re:Anti Virus?

[dougisfunny]

Which isn't a real browser anyway.

Re:Anti Virus?

[v1]

Is there going to be a huge market for antivirus software for cell phones within the next few years?

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

Protecting your users from bad people isn't really very difficult. (firewall) Protecting them from themselves, that's a trick. (AV software)

I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years.

Re:

[Skuld-Chan]

Haven't read the article yet - so I wonder if this affects stock android phones. The default setting for android is not to install anything unsigned.

Re:

[Anonymous Coward]

"Signed" in Android terms doesn't actually mean much. Developers self-sign their apps. The point? I really don't know. What you're talking about is the setting that allows users to install apps from sources other than the Market.

Re:

[Kingrames]

"I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years."

The room does not become empty when you close your eyes.
- Quote mangled from a joke taken from the Jargon File.

Re:

[grcumb]

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware.

Can you explain precisely what you mean when you use the term 'unlocked'? You're almost certainly wrong no matter which sense you use it in, but I want to make sure I refute the proper argument. 8^)

Okay, seriously: The valid part of your statement is your mention of 'unsigned software', which I take to mean the Microsoft approach of allowing all comers with little more than a 'caveat

Re:Anti Virus?

[MrHanky]

How exactly is OS X an exception? If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

Re:

[node 3]

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

It's strange that people seem to always bring this up when no one is making the claim that is supposedly being debunked.

Re:

[HappyClown]

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

By that logic, if I leave my front door open year round yet don't get burgled, my home must be burglar proof!

Re:

[MrHanky]

You made the claim that OS X was a rare exception to the rule that unlocked hardware (sic) has a virus problem (or actually: that there is "a huge market for antivirus software" for such platforms). Yet this is blatantly untrue: hardly any OS except Windows (and the Amiga, back in the days) has a huge virus problem.

And now you try to make the argument that OS X has little need for anti-virus software due to there being a disproportionate(?) lack of spyware for the platform. Spyware != virus, and a lack of

Re:

[quacking duck]

Mac OS X already has enough of a trojan problem that Mac OS X trojans have been used to create botnets.

[citation needed]

From Tuesday's Fox News of the Apple world, MacDailyNews itself:
http://macdailynews.com/index.php/weblog/comments/25439/ [macdailynews.com]

The software (screensavers mostly, but at least one application) was listed on several major, reputable Mac software aggregation sites.

Perhaps not a botnet this time, but after giving the admin password during installation, any payload could have been installed.

Re:

[v1]

Perhaps not a botnet this time, but after giving the admin password during installation, any payload could have been installed.

"User gives random downloaded software his admin password and bad things happen. Film at 11."

duh. The reason this is not common on the mac is you haven't completely compromised the machine at that point. Doing things like enrolling in a botnet require additional exploitation. Hence it's far less valuable to trojan a mac user because you've got a lot more work to do still before

Re:

[knarf]

That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

Eh? Assuming that you are talking about the user installing software instead of the software installing itself without the users approval please elaborate why OS X is an 'exception to the rule'? If you install 'see dancing bunnies NOW' on anything Apple you're just as p0wn3d as you would when you install it on anything else.

And 'price you pay for unlocked hardware'? Bovine Excrement

Re:

[hitmark]

the osx "exception" is more a case of obscurity then by design.

heck i think its shown that osx have the worst security of any *nix out there.

Re:

[zonky]

wait, you mean i have to trust the code i execute?

Re:

[FatdogHaiku]

wait, you mean i have to trust the code i execute?

Only on devices you want to reliably and securely use...
it's kind of like that rule about only flossing the teeth you want to keep.

Re:

[hitmark]

but can you trust the hardware?

Re:

[FatdogHaiku]

As much as you can the network, I guess...
So, no, probably not...
Geez, I hope we don't end up having to go to RadioShack to get a cell phone kit and a tiny soldering iron tip.

Re:

[Totenglocke]

I'd rather just see anti-virus software on pc's incorporate definitions for mobile phone viruses / rookits as well - that way you can just run a virus scan once a week with your phone plugged into your computer and not have to worry about killing the battery life on your phone.

Re:

[SQLGuru]

Wait, you have to plug your phone into your computer? My WinMo phone syncs via Bluetooth (and if I had a data plan, would sync via the 3g).

Actually Kaspersky has a mobile AV that's been available for a while: http://usa.kaspersky.com/products_services/mobile-security.php [kaspersky.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mlts]

I'd like to see an antivirus scanner put into the fastboot or recovery image. This way, if a phone is rootkitted, someone can boot to the recovery, and run Tripwire like software which would catch unknown kernel modules, and for known malware signatures, a signature based AV would deal with those.

However, lets be realistic: AV software is the absolutely last bastion of defense. Before malware can trip the AV software, the OS or application should have dealt with it by either ignoring it and forbidding it

Re:

[delinear]

But then how would the AV producers sell you the same product twice? Incidentally, to answer the original question about AV proliferating on mobile phones, there are already several products out there - I'm not sure what they actually do, since I've not heard of any mobile virii in the wild affecting these devices, I suspect they just scan for Windows virii to protect your OS when you hook up the phone as a mass storage device. I'm more than happy to install AV on my phone as and when someone demonstrates t

Re:

[oztiks]

I believe so, the value of commandeering a mobile phone and then using it for illegitimate financial gain is there, the possibilities are the same as Trojan on a PC, perhaps even more.

A mobile Botnet being able to DoS targets with smartphones and it wouldn't be limited to just internet, it could be done with the phone/sms aspect as well.

Re:

[erroneus]

Don't jump to conclusions about this. A rootkit is not a virus and isn't necessarily malware at all depending on how it is applied and used.

I could describe similar behaving software as an anti-theft and tracking function. Say someone steals my shiny new android phone and I want it back. Once I have some sort of access to the phone, I can ask it to take pictures and send them back to me. I can ask it to get a GPS read and send it back to me. I can ask it to get a log of activities such as options explo

Re:

[LingNoi]

If this is going to work as an anti theft device activated by an sms or phone call how are you going to know which number to call? The first thing a criminal does when stealing your phone is to take the battery and sim out.

Re:

[delinear]

Unless he wipes the OS too, there's already an app [trackdroid.org] that, when your sim card is replaced, will send you a text message or email with the GPS location of the phone. If you have it send a text message, you also get the number of the new sim, so you can go directly to the police with the (reasonably) exact location of the phone and the contact details of the registered purchaser of the sim.

Re:

[debatem1]

Amen. TFA implies- though it doesn't directly state- that this took root privs to install in the first place, at which point I don't need to remotely enable the malware- I've already got the ability to do whatever the hell I want.

Re:

[delinear]

Actually, there's already an App on the Android marketplace that does what you describe. I think you can call, email or SMS your mobile with a command that will enable a bunch of features, such as getting the GPS location via an online service, disabling or password protecting the phone or even triggering it to start beeping at full volume every time it's turned on. There's even an App which will check for the sim card being replaced and will alert you to the location of the phone when it's switched on. Oka

Re:

[Timmmm]

There is already an 'anti-virus' app in the Android market. It has many 5 star reviews, but seeing as there *are* no android viruses yet I assume it just pretends to scan your system and then says 'no viruses found' or something.

Re:

[delinear]

Of course, if you wanted people to think it was worth using, you'd occasionally flag up some "found 8 viruses, all successfully removed" kind of messages :)

Re:

[delinear]

It's to be expected, we all know what a massive issue viruses are on Linux, so we shouldn't really expect a Linux-based phone to be any different. Oh, wait...

Re:

[Anonymous Coward]

Who's stopping you from buying a plain cell phone? Spend $50, get an unlocked quadband GSM phone that works anywhere in the world, and the battery lasts nearly two weeks. I had one from Samsung for a while, it worked great.

The rest of us want some kind of highly portable computer that also happens to make phone calls. And we pay quite a bit more for that.

Hacking mobiles

[lobf]

Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as they increase in popularity? I'm not being facetious, I come here because I don't know these answers.

It will be.

[maillemaker]

>Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as >they increase in popularity? I'm not being facetious, I come here because I don't know these answers. If it's not, it will be. Clearly there is big business to be made in compromising traditional computer systems today. In the early days (and I've been around computers since the TI99/4A) it seems that "viruses" were primarily made as a prank. But today the biggest threats seem to be botnets which are used for profit to either propagate spam and execute denial of service attacks through distributed means, or simply to skim valuable user account data off of the compromised systems. This is all far beyond the amateur pranks of old. It is now done for financial gain. Cell phones have rapidly become computers. All the benefits of compromising traditional computers will likely follow.

Re:

[maxwell demon]

Not only that. Attackers could get your phone banking credentials by just recognizing when you call a phone banking number, and then recording the initial part of your phone call and sending the files to the attacker. Remember, as much as smartphones are computers, they are still phones (in principle it could be done for VoIP on traditional computers, too, but I guess few people do phone banking over VoIP). In addition, they often are GPS appliances as well, so additionally an attacker could use them to tra

Re:

[Seth024]

That's certainly possible.

The big problem I believe is that there are so many different operating systems (Symbian, iPhone OS, Android...) that all have a part of the market. Being able to write a virus/find a backdoor to control 90% of PCs is very profitable. Just like there are not many people writing virusses for Mac OS or Linux, there are not many viruses for mobile phones (yet).

Re:

[delinear]

I would have thought, if it was easy, it would certainly already be happening. The smartphone market might be small compared to a desktop OS like Windows, but the possibility for profit is much more immediate, since you have a device which can connect to premium services without any further need to obtain secure passwords or banking details, etc. from the owner. You just set up a premium number in a foreign locale, have the software wait until the phone is idling (on charge maybe, and not been touched for a

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TyFoN]

You can install unsigned applications on Android as well.
But to install a rootkit (as described in TFA), first you need to find a telephone that is rooted and has a custom rom that has a custom kernel that enabled the loading of kernel modules. Then you need to get the user to actually install the trojan and click "yes" to the "do you want this to run as root". A person with a phone in that configuration is unlikely to click yes for a game or something like that anyway.

Re:

[erroneus]

A LOT of useful data on an individual could be collected from smart phones including where they do business and other commerce. So instead of sending out random spam/phishing emails that alert and confuse people because they don't have an account at "Bank of Whatever." They could identify, among other things, what banks and shops they have visited and then send them targeted attacks saying "your recent visit to has made you eligible for this special offer. Please go and sign up for and provide your pe

lol

[larry bagina]

Microsoft Talks Back To Google's Security Claims -- coincidence?

Don't worry, be happy!

[jo42]

Google will fix it in 2.3 Sherbet.

- T. Roll

Re:

[Anonymous Coward]

It's not a bug. They say "once it's installed." This isn't a rootkit, it's just an app that responds to incoming calls (anyone can do this now). There would still need to be an exploit to get the app installed in the first place. The title is certainly a little misleading.

Re:

[masterwit]

It's not a bug.

It's a feature!

Re:

[FunkyELF]

I don't see what there is to fix.
The nice thing about an open platform is that you can install anything you want.
Just un-check the box that only lets you install from trusted sources.
The article simply said "Once it's installed on the Android phone".
Later on it said it ran as a kernel module. I bet this is only installable voluntarily by someone with a rooted phone anyway and I say if the user wants to install a root-kit, let them install a root-kit.

just like installing a trojan on your computer!

[Anonymous Coward]

...which could let the hacker get access.

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And the ability to "listen" for a call is called a BroadcastReceiver. It's nothing special or hackish. Think a trigger ruleset for Android like you have for your mail client.

Good god.

Re:

[clang_jangle]

Yep, it's a trojan.

From FTFA:

Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS (short message service) message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. "You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program]," said Christian Papathanasiou, a security consultant with Chicago's Trustwav

Re:

[MikeBabcock]

Responding on behalf of the parent, the software has to be installed first. Manually.

Now sure, someone borrowing your phone might do it, but the software has to get onto your phone and be permitted to make these changes first.

This type of rootkit already exists in the form of phone locator software.

Re:

[AndroidCat]

(If they can rootkit my Milestone down past the locked loader, I want to know how! [Yeah, of course I got an Android phone, it was .. destiny.])

Odds are there are far more stupid "smartphone" users than PC/Mac ones.

Want to tap virgin pools of stupidity? There's an app for it!

Re:

[SQLGuru]

All it takes is one cool app that people want (say, a really cool free Tower Defense game) that incorporates the Trojan. The point of the Trojan is that is pretends to be something you want to get you to install it. Until someone figures out that it's a Trojan, it'll spread like wildfire.

Re:just like installing a trojan on your computer!

[mlts]

Even if a user gives permissions, they may get their account and messages compromises, but unless there is an exploit the malware uses that isn't known by the modding/rooting community, there is NO WAY that something installed as an APK in a user account on a phone is going to be able to get root access to drop in a kernel module. Even if it did, phones like the Motorola Milestone have signed Linux kernels and are not built with the ability to load modules, so all it would do is nothing or cause the phone to bootloop.

Don't forget, that a lot of kernels on Android phones are built monolithic and not allowing kernel extensions. A custom kernel that is explicitly built to allow .ko files on a G1 is likely what is needed for this exploit.

I can see three ways that this kernel rootkit (which is nothing new -- there have been Linux kernel modules for rootkits since the late 1990s) can get on an Android device, and all three require a rooted phone:

1: The app masquerades as a root utility. There are some utilities which are very useful for rooted phones. Droidwall, Autostarts, Wireless Tether, Wired Tether, root explorer, Titanium Backup, SQLite Editor, and a terminal emulator are must have utilities, because they add a lot of useful functionality. I can see a utility masquerading as something useful for rooted phones, getting installed, then going to town on the phone, replacing BusyBox with a utility that hides the rootkit, opening up a command port, and so on.

2: Some malware is put on a custom ROM. This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

3: An app gets access to the SD card, manages to alter nandroid backups on the card and/or add an update.zip file which is signed, and then runs an update. This way, the malware package would be sucked in implicitly.

So, for the average user with Android, a rootkit isn't going to happen unless it uses an exploit, and these days, RAMDLD exploits and such are rare for phones.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mlts]

It sounds like you know what you are doing and are able to cook ROMs worth downloading. I just think that because compromising phones is so lucrative [1] that it will only be a matter of time before the modding community (be it Windows Mobile, Android, jailbroken iPhone utilities, even the N900) will be strongly hit by this. This is why I like the idea of PGP/gpg signing ROMS, and perhaps urging a popular modding forum (xda-developers, modmymoto, etc.) to sign and store copies of developers' PGP/gpg keys

Re:

[ady1]

I agree with major part of your post except one small discrepancy. Milestone does not have a monolithic kernel. in fact, none of the android devices do. Simply because a lot of the underlying device drivers are propriety while the Linux kernle is GPL so Module support is a must. Just an example of a thirdparty module with stock kernel: http://code.google.com/p/milestone-overclock/ [google.com]

Re:

[Securityemo]

Something being "special or hackish" doesn't matter, as long as it works. The only reason to use convoluted-but-well-known methods instead of the platform API is to dodge security; there is no reason to do such things if there's nothing to dodge.

Re:just like installing a trojan on your computer!

[khchung]

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And that's exactly why you and many /.ers cannot see the value proposition of the iPhone. For you, the Andriod phone is just a
smaller PC, a general purpose computer, so if a user don't know enough not to install trojans, that's the users problem.

But to the users, the phone is an appliance, that is used daily and contain lots of private information. The last thing I want is for it to crash or got trojan leaking my data. If the cost of that is I have to subject to Apple's arbitrary rules, cannot run flash, may miss out a few "cool" apps, and may not use the hardware to the fullest possibility, then so be it. I would still be using a 2G dumb phone if none of the phones in the market can give me that value.

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

As a user, I don't care if I am not using the hardware to the fullest possibility, what I care is what kind of value proposition the product is giving me.

Re:

[delinear]

What evidence do you have that it's any more or less difficult to execute this kind of attack against the Android over the iPhone? Both have locked down market places where regular users go for all of their app needs, the only difference is that more advanced users can install code from outside the market place on the Android. The kind of users who go to these lengths tend to have a bit more technical savvy, and would likely be the type of people who would jailbreak their iPhone anyway, exposing it to the s

Re:just like installing a trojan on your computer!

[khchung]

You missed the point. General users don't care about what advance users cannot do. If you want a phone that you can install whatever you want, don't buy the iPhone.

Secondly, whether by genius, pure luck, reality distortion field, crazy app store policy or whatever, Apple has successfully created the iPhone as a platform that can consistently delivery the intended appliance-like user experience.

In contrast, it doesn't matter that you can write 2 papers or win every Slashdot argument that the Android is, in theory, just secure as the iPhone. When users cannot buy from the app store because his country is not supported, when users can only install pirated app because of that (and thus opening the opportunity for trojans), and when apps his friend told him about is invsible because of different OS version, it erodes the user's experience.

Added on that, you got developers who thinks a user installing a trojan is his own fault, implying the user is responsible for learning to use the phone as a general purpose PC, then the phone failed to behave as an appliance, it lost its value for users look for an appliance.

Re:just like installing a trojan on your computer!

[Pharmboy]

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

But you are a different kind of user, just as iPhone customers are different than Android customers. Some of us WANT to tweak with the phone/system a bit and willing to pay the price, ie: higher likelyhood of issues and higher maintenance. This is the same reason I prefer PC games over console games.

You don't have to be an uber hacker, or even a programmer, to appreciate the ability to tweak things. For you, the phone (or gaming console) is an "appliance". To me, my phone and computers are "tools", which can be sharpened, changed, upgraded, and sometimes broken. It is just a difference in expectations. I"m picking up my first Android in a week. The main reason I am getting one is to be able to ssh into my Linux servers and manage them from anywhere, and I mean anywhere. That doesn't sound like something you would do.

Re:

[mlts]

Maybe this is where Android "fragmentation" might be good. An exploit that works for Android 1.5 and the Samsung Behold 2 likely won't work on a Droid running 2.1, especially if it uses a kernel module, and will almost definitely won't work if neither phone is rooted.

Re:

[delinear]

This is simply another case of Misleading Title Strikes Again. From TFA:

On its own, Trustwave's rootkit isn't much of a threat to Android users. That's because a criminal would first need to figure out how to install the software on a victim's phone. This could be done by building the rootkit into a rogue application sold via the Android Market, or by exploiting a new, unpatched bug in Android's Linux kernel that could allow the program to be installed.

So basically it doesn't do anything new - it's trivia

Re:

[RenderSeven]

What can we do to defend against this?

Generally, dont lend your phone to security researchers at hacking conferences. Writing a rootkit makes good headlines but the article says they freely admit they dont have a clue how to install it with a rogue application.

Re:

[delinear]

Agreed - maybe just some method of notifying users that $RANDOM_APPLICATION has been discovered to have vulnerabilities, with the option to ignore it, remove it or visit some website for further details. I might have a legitimate reason for wanting the code on my phone (if I'm a researcher, for instance), or I might need to retrieve valuable data before it gets wiped. At the very least, events of the past couple of years show people like to be informed/involved in this process, rather than some process sile

Re:

[MikeBabcock]

You know if you posted other than AC you could answer this ...

But have you seen how the permissions work on Android?

When installing this app you'd have to give it permission to do the things it does. It asks explicitly.

Wow this article makes it so scary

[Technomancer]

From TFA: "The rootkit could also track a victim's location or even reroute his browser to a malicious Web site."
Really? And then what? The malicious website will install another worse rootkit?
It has rootkit! The phone is compromised, all the information you have on it is potentially leaked and the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator. The only cure is to either flash it with fresh OS or burn it with fire.

Re:

[fermion]

I agree that for the most part such a rootkit would be more of an annoyance than anything else. Most people don't do serious work on their phones, and so bank passwords and the like should not be an issue. However even annoyances can be an issue. Remember when everyone was up in arms because malicious web site would substitute or create additional advertising? Remember when everyone had a 'helper' browser plugin that would display pop ups and track all you web browsing then send all that data to adverti

Re:

[Fumus]

the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator.

I don't know about you, but I buy my phones myself. It's always cheaper than if I got it on contract and had to pay an X amount of money over Y years.

Talk about misleading headline!

[AC-x]

The headline makes it sound like you can get infected with a root kit from a phone call which is nothing like what's being said, what a load of sensationalist bollocks.

Why would you even want to activate a root kit via a phone call? The phone's got a permanent internet connection so it may as well just poll a server for commands.

Re:

[Xest]

Yep, I'm trying to figure out what exactly the point of this demonstration is.

It's like the guy in question has just figured out that you can write software that does bad things, not just good things, and so has written a piece to demonstrate this.

What can be done is irrelevant, we already know what can be done, the problem is doing it, and that needs an attack vector, ideally a remotely exploitable one for the "best" hacks, and this guy hasn't found any.

I'm not even sure it serves as an example of the futu

Pure and utter bullshit

[Anonymous Coward]

You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell

And then he can make the phone emit lasers that will kill your dog and drive your car into a wall!

*sigh*

The thing about a rootkit is that you need root before it works.

Installing an app from Market (or anywhere else) won't do it.

So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.

While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)

This is a total non-issue.

Re:

[RyuuzakiTetsuya]

or an exploit to escalate privileges to root. :)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[delinear]

You have to be crazy to buy an Android phone and not root it. I rooted mine almost as soon as I found out how. Root gives you more options, including the ability to install custom roms, that work even better. I would expect that at least 90% of android phones are rooted, or all those people are wasting their phone's abilities. I got a backup app on my phone. I can wipe and reflash the ROM as often as I want. I do it every time a new version is released.

Likewise 87% of all statistics are completely made up without any basis in reality. I'd be very surprised if anywhere near 90%, or even anywhere near 5% of Android users had rooted their phones. Here, the latest Android phones are selling out, they're so popular, I just find it hard to believe that there are that many people competent enough to do this and willing enough to void their warranties. Same with iPhones - I know two circles of people, one technical, one non-technical, while a few of the technical

sooo. yeah?

[Eil]

I'm not trying to belittle these guys' security research or anything, but why is it surprising that you can whip up a rootkit which runs on a phone? Anything with a CPU can have backdoors made for it. The hard part has always been getting the backdoors onto arbitrary devices without the owner knowing about it.

Engineer a computer which can be proven secure and then I'll be impressed.

Re:

[ady1]

A rootkit is a program. To make a computer truly secure, you need to remove the ability to run programs. Thus, you need a computer which isn't a comp.... errr never mind.

Code can run on processors if installed properly.

[GNUALMAFUERTE]

Film at 11.

This guys installed a fucking KERNEL MODULE into that system. Well, they can make it receive calls, or they can make it play fucking tetris. It's code. You can write whatever you want, and execute it however you want, if you have access!

Being able to run code in a given processor is NOT AN EXPLOIT, it's just basic functionality. If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?

It would be a vuln if they had the ability to install that fucking rootkit without physical access to the phone. That's the hard part.

Article is FUD and submiter is trolling. 0/10

Re:

[GNUALMAFUERTE]

Sorry to reply to myself, but this ridiculous "research" comes out a day after Google announces it's ditching windows because it's insecure. Anyone smells microsoft behind this "independent research"?

Re:

[Mark19960]

Or Apple.
There has been a lot of FUD like this lately.

If they target the modding community someone will spot this VERY fast.
If they get this on 10 phones without the owner knowing I would be shocked.

They can do the same to iPhones so like you said, article fails.
Better yet, take the article and replace android with iPhone OS and now you have Apple FUD.

Re:

[delinear]

I don't think Apple or MS benefit greatly from this, okay it specifically talks about Android phones, but some mud is bound to stick to them, too. Following the money would suggest AV vendors, who for years have been unable to make much headway selling AV solutions to Linux or OSX users, are suddenly worrying about the possible move to mobile devices which primarily use systems which haven't been subject to masses of viruses. On the horizon, mobiles with tethered devices for applications which require more

Re:

[D H NG]

Google announced no such thing. It's a news story from the Financial Times that Google neither confirmed nor denied.

So what ... required physical access

[smart_ass]

If I get physical access to your phone I can install something that can steal all your contact info and CC #s ...
How about I steal the phone, steal the info and then reset the phone and use it myself ... no Rootkit required?

What the hell ... how is this news?

Slow day on /.

Re:

[Fnord666]

What the hell ... how is this news?

Apparently it's news to samzenpus, which doesn't say much for the editorial staff here.

Re:

[delinear]

It contains the magic ingredients: a product by a popular or well known brand and the word "rootkit". There's probably an automated system to just greenlight all such stories without an editor ever having to intervene.

Wrong title.

[mallyone]

Should read: Android rootkit is just a fud call away.

Seems like a good Proof of Concept...

[HockeyPuck]

Sure the researcher had to write a kernel module etc etc... but how does most malware get on peoples computer? They inadvertently install it because they want IM icons, funny sounds, animated pointers etc etc. So what's to say someone doesn't write some Android application that appears to be harmless yet everyone wants it, then mom/dad/grandma install it?

I would be more impressed if the researcher found a way to get rootkit software through Apple's auditing process.

While I'm no apple fanboy, I would think

Re:

[delinear]

Of course anyone could write such an application. It won't have root, though, and it will have to flag up a message specifically requesting access to every process it needs to use at the point of install. If the application can survive not being spotted by someone technically competent and can convince a user that a nice icon pack needs access to their phone's dialling ability, then fair enough, there's not a lot you can do to mitigate this besides locking everything down and vetting everything. If this eve

So...Your Soon-To-Be Wife Loads up Your Android

[BoRegardless]

Ahh...open source cell phones give me that wonderful, fuzzy, anti-establishment, broke ex-husband living in a 1 room apartment feeling.

Re:

[tmach]

If my wife could create a rootkit, I wouldn't be divorcing her!

Physical Access

[slater86]

Once it's installed on the Android phone

One would assume that if you had physical access to most equipment, its usually game over anyway. No more vulnerable than a netbook really(both being more portable than desktops). Just more people have phones.

Once it's installed?

[Rog7]

Okaaaaaaay. What's the point of this article?

"Once it's installed" ...

There's no description or indication of a specific exploit that can be leveraged. In fact the entire premise doesn't require an exploit at all.

You know, once I light a match and burn my phone, it will be burnt! Good grief.

Once it's installed

[Dishevel]

Once it's installed on the Android phone....

samzenpus. You are a fucking idiot. Attention! One the fucking idiot program is installed into samzenpus's cpu he will become a fucking idiot. Too late.

Someone rescue the children!

[RichiH]

So you are saying if I install software on a computer, said software can react to incoming data? Their (sic) should be a law against these sort of things!

Coming up next: Man hits self with hammer; feels pain.

PS: Yes, a phone number tends to stay associated with a device which is not true for IPv4. That might or might not change with IPv6.

Re:

[delinear]

There is no magic exploit. If I got physical access to your Android, I could root it then install a rootkit. If I got access to your iPhone, I could jailbreak it and install a rootkit. If I got access to either of your phones, why would I bother when I could just sell them for a guaranteed return? And if I have no access to your phone, how do I root it and install a rootkit? This isn't Apple vs Google, it's AV vendor FUD vs. common sense. By muddying the water you're working against common sense.