Android Rootkit Is Just a Phone Call Away 190
alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."
Anti Virus? (Score:4, Insightful)
Is there going to be a huge market for antivirus software for cell phones within the next few years?
Re:Anti Virus? (Score:2, Insightful)
Well the Apple way of doing things would just be to yank any app that's discovered to have an active exploit, and maybe remote wipe it from phones, then probably disable any infected phones until the OS is reinstalled. If that works for the masses it could be a nightmare for Richard Stallman, because it'll probably spread from there to the desktop.
Re:Anti Virus? (Score:5, Insightful)
Is there going to be a huge market for antivirus software for cell phones within the next few years?
For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.
Protecting your users from bad people isn't really very difficult. (firewall) Protecting them from themselves, that's a trick. (AV software)
I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years.
Re:Anti Virus? (Score:3, Insightful)
Talk about misleading headline! (Score:5, Insightful)
The headline makes it sound like you can get infected with a root kit from a phone call which is nothing like what's being said, what a load of sensationalist bollocks.
Why would you even want to activate a root kit via a phone call? The phone's got a permanent internet connection so it may as well just poll a server for commands.
Pure and utter bullshit (Score:4, Insightful)
You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell
And then he can make the phone emit lasers that will kill your dog and drive your car into a wall!
*sigh*
The thing about a rootkit is that you need root before it works.
Installing an app from Market (or anywhere else) won't do it.
So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.
While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)
This is a total non-issue.
sooo. yeah? (Score:5, Insightful)
I'm not trying to belittle these guys' security research or anything, but why is it surprising that you can whip up a rootkit which runs on a phone? Anything with a CPU can have backdoors made for it. The hard part has always been getting the backdoors onto arbitrary devices without the owner knowing about it.
Engineer a computer which can be proven secure and then I'll be impressed.
This article brought to you by.... (Score:1, Insightful)
Apple, and possible in some part by Microsoft. Competition is bad, just plain bad, when are we idiot consumers going to get this through our microscopic minds?!
Code can run on processors if installed properly. (Score:5, Insightful)
Film at 11.
This guys installed a fucking KERNEL MODULE into that system. Well, they can make it receive calls, or they can make it play fucking tetris. It's code. You can write whatever you want, and execute it however you want, if you have access!
Being able to run code in a given processor is NOT AN EXPLOIT, it's just basic functionality. If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?
It would be a vuln if they had the ability to install that fucking rootkit without physical access to the phone. That's the hard part.
Article is FUD and submiter is trolling. 0/10
Re:Don't worry, be happy! (Score:2, Insightful)
It's not a bug. They say "once it's installed." This isn't a rootkit, it's just an app that responds to incoming calls (anyone can do this now). There would still need to be an exploit to get the app installed in the first place. The title is certainly a little misleading.
Re:Anti Virus? (Score:3, Insightful)
wait, you mean i have to trust the code i execute?
Only on devices you want to reliably and securely use...
it's kind of like that rule about only flossing the teeth you want to keep.
Re:Anti Virus? (Score:3, Insightful)
Haven't read the article yet - so I wonder if this affects stock android phones. The default setting for android is not to install anything unsigned.
So what ... required physical access (Score:3, Insightful)
If I get physical access to your phone I can install something that can steal all your contact info and CC #s ... ... no Rootkit required?
How about I steal the phone, steal the info and then reset the phone and use it myself
What the hell ... how is this news?
Slow day on /.
Re:Anti Virus? (Score:3, Insightful)
Don't jump to conclusions about this. A rootkit is not a virus and isn't necessarily malware at all depending on how it is applied and used.
I could describe similar behaving software as an anti-theft and tracking function. Say someone steals my shiny new android phone and I want it back. Once I have some sort of access to the phone, I can ask it to take pictures and send them back to me. I can ask it to get a GPS read and send it back to me. I can ask it to get a log of activities such as options explored and executed, phone calls, text messages, web or other internet activity, track motion and location data to show where the phone has been and when -- anything to help identify where the phone is and who took it. The door to this functionality, of course, would be triggered by a phone call from a particular source (or a particular caller ID) or a specially crafted SMS text message.
This discussion isn't about INFECTING a phone with a phone call or SMS text message. The planting of the rootkit most often comes from the execution of untrustworthy code, for example, a Sony-BMG music CD. The rootkit would be inserted by a game or app that the user himself decided to execute. While there is always the possibility of a web drive-by installation the way we hear about on Windows computers, I think it is more likely that the user would have to be mislead or fooled into running the code to install the rootkit.
Such techniques would be used by both "bad guys" (criminals) and "other bad guys" (law enforcement).
Physical Access (Score:2, Insightful)
One would assume that if you had physical access to most equipment, its usually game over anyway. No more vulnerable than a netbook really(both being more portable than desktops). Just more people have phones.
Re:just like installing a trojan on your computer! (Score:5, Insightful)
I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?
And that's exactly why you and many /.ers cannot see the value proposition of the iPhone. For you, the Andriod phone is just a
smaller PC, a general purpose computer, so if a user don't know enough not to install trojans, that's the users problem.
But to the users, the phone is an appliance, that is used daily and contain lots of private information. The last thing I want is for it to crash or got trojan leaking my data. If the cost of that is I have to subject to Apple's arbitrary rules, cannot run flash, may miss out a few "cool" apps, and may not use the hardware to the fullest possibility, then so be it. I would still be using a 2G dumb phone if none of the phones in the market can give me that value.
Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.
As a user, I don't care if I am not using the hardware to the fullest possibility, what I care is what kind of value proposition the product is giving me.
Re:Anti Virus? (Score:5, Insightful)
How exactly is OS X an exception? If you think OS X has effective protection against trojans and root kits, you're deluding yourself.
Re:Anti Virus? (Score:1, Insightful)
"Jail Broken" is a shitty term, and it's less valid that the term you're bitching about.
Unlocked (or Application Unlocked) - able to install unsigned/unapproved/unofficial programs
Carrier Unlocked - able to move across carriers (provided the radio and ID methodology (SIM card, for example) are supported
Rooted - Having root access on the phone
Jail Broken - Derp I'm an Apple user derp
Re:Talk about misleading headline! (Score:3, Insightful)
Yep, I'm trying to figure out what exactly the point of this demonstration is.
It's like the guy in question has just figured out that you can write software that does bad things, not just good things, and so has written a piece to demonstrate this.
What can be done is irrelevant, we already know what can be done, the problem is doing it, and that needs an attack vector, ideally a remotely exploitable one for the "best" hacks, and this guy hasn't found any.
I'm not even sure it serves as an example of the future of malware, it's hardly even imaginative. I suspect future malware threats will more likely involve things like P2P networks setup by the malware itself that is used to distribute updates that provide the malware with new exploits to try infecting other machines with or that receives anti-anti-virus updates to kill off any AV software even if attempts are made to update it. In general, I suspect malware will get a whole lot more intelligent in terms of mining data on infected systems, making users believe there's nothing wrong, and in spreading itself.
The example in TFA demonstrates none of this sort of thing, just stuff that's long already been done. Hell, even my examples are hardly that far fetched, I'm sure some malware out there already does a lot of this sort of thing right now.
Re:Anti Virus? (Score:2, Insightful)
For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.
How exactly is OS X an exception?
Due to the notably disproportionate lack of spyware on the Mac.
By that logic, if I leave my front door open year round yet don't get burgled, my home must be burglar proof!
Re:just like installing a trojan on your computer! (Score:3, Insightful)
Re:Typical Slashdot ... (Score:3, Insightful)
Re:just like installing a trojan on your computer! (Score:4, Insightful)
Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.
But you are a different kind of user, just as iPhone customers are different than Android customers. Some of us WANT to tweak with the phone/system a bit and willing to pay the price, ie: higher likelyhood of issues and higher maintenance. This is the same reason I prefer PC games over console games.
You don't have to be an uber hacker, or even a programmer, to appreciate the ability to tweak things. For you, the phone (or gaming console) is an "appliance". To me, my phone and computers are "tools", which can be sharpened, changed, upgraded, and sometimes broken. It is just a difference in expectations. I"m picking up my first Android in a week. The main reason I am getting one is to be able to ssh into my Linux servers and manage them from anywhere, and I mean anywhere. That doesn't sound like something you would do.
Re:just like installing a trojan on your computer! (Score:5, Insightful)
You missed the point. General users don't care about what advance users cannot do. If you want a phone that you can install whatever you want, don't buy the iPhone.
Secondly, whether by genius, pure luck, reality distortion field, crazy app store policy or whatever, Apple has successfully created the iPhone as a platform that can consistently delivery the intended appliance-like user experience.
In contrast, it doesn't matter that you can write 2 papers or win every Slashdot argument that the Android is, in theory, just secure as the iPhone. When users cannot buy from the app store because his country is not supported, when users can only install pirated app because of that (and thus opening the opportunity for trojans), and when apps his friend told him about is invsible because of different OS version, it erodes the user's experience.
Added on that, you got developers who thinks a user installing a trojan is his own fault, implying the user is responsible for learning to use the phone as a general purpose PC, then the phone failed to behave as an appliance, it lost its value for users look for an appliance.
Re:just like installing a trojan on your computer! (Score:3, Insightful)
You know if you posted other than AC you could answer this ...
But have you seen how the permissions work on Android?
When installing this app you'd have to give it permission to do the things it does. It asks explicitly.