Android Rootkit Is Just a Phone Call Away

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

Re:just like installing a trojan on your computer!

[mlts]

Even if a user gives permissions, they may get their account and messages compromises, but unless there is an exploit the malware uses that isn't known by the modding/rooting community, there is NO WAY that something installed as an APK in a user account on a phone is going to be able to get root access to drop in a kernel module. Even if it did, phones like the Motorola Milestone have signed Linux kernels and are not built with the ability to load modules, so all it would do is nothing or cause the phone to bootloop.

Don't forget, that a lot of kernels on Android phones are built monolithic and not allowing kernel extensions. A custom kernel that is explicitly built to allow .ko files on a G1 is likely what is needed for this exploit.

I can see three ways that this kernel rootkit (which is nothing new -- there have been Linux kernel modules for rootkits since the late 1990s) can get on an Android device, and all three require a rooted phone:

1: The app masquerades as a root utility. There are some utilities which are very useful for rooted phones. Droidwall, Autostarts, Wireless Tether, Wired Tether, root explorer, Titanium Backup, SQLite Editor, and a terminal emulator are must have utilities, because they add a lot of useful functionality. I can see a utility masquerading as something useful for rooted phones, getting installed, then going to town on the phone, replacing BusyBox with a utility that hides the rootkit, opening up a command port, and so on.

2: Some malware is put on a custom ROM. This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

3: An app gets access to the SD card, manages to alter nandroid backups on the card and/or add an update.zip file which is signed, and then runs an update. This way, the malware package would be sucked in implicitly.

So, for the average user with Android, a rootkit isn't going to happen unless it uses an exploit, and these days, RAMDLD exploits and such are rare for phones.

Re:Pure and utter bullshit

[Anonymous Coward]

Did you see that anywhere in the article?

No. They explicitly said that this could be done with a market app.

In other words, they have no exploit. They have no attack vector. This is just bullshit.

Re:Anti Virus?

[delinear]

Unless he wipes the OS too, there's already an app [trackdroid.org] that, when your sim card is replaced, will send you a text message or email with the GPS location of the phone. If you have it send a text message, you also get the number of the new sim, so you can go directly to the police with the (reasonably) exact location of the phone and the contact details of the registered purchaser of the sim.

Re:Anti Virus?

[Anonymous Coward]

"Signed" in Android terms doesn't actually mean much. Developers self-sign their apps. The point? I really don't know. What you're talking about is the setting that allows users to install apps from sources other than the Market.

Re:Anti Virus?

[dougisfunny]

Which isn't a real browser anyway.