Android Rootkit Is Just a Phone Call Away

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

Anti Virus?

[kobaz]

Is there going to be a huge market for antivirus software for cell phones within the next few years?

Re:Anti Virus?

[grantek]

Well the Apple way of doing things would just be to yank any app that's discovered to have an active exploit, and maybe remote wipe it from phones, then probably disable any infected phones until the OS is reinstalled. If that works for the masses it could be a nightmare for Richard Stallman, because it'll probably spread from there to the desktop.

Re:Anti Virus?

[v1]

Is there going to be a huge market for antivirus software for cell phones within the next few years?

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

Protecting your users from bad people isn't really very difficult. (firewall) Protecting them from themselves, that's a trick. (AV software)

I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years.

Re:Anti Virus?

[zonky]

wait, you mean i have to trust the code i execute?

Re:Anti Virus?

[Totenglocke]

I'd rather just see anti-virus software on pc's incorporate definitions for mobile phone viruses / rookits as well - that way you can just run a virus scan once a week with your phone plugged into your computer and not have to worry about killing the battery life on your phone.

Re:Anti Virus?

[Noitatsidem]

I'd really hope not.

Re:Anti Virus?

[oztiks]

I believe so, the value of commandeering a mobile phone and then using it for illegitimate financial gain is there, the possibilities are the same as Trojan on a PC, perhaps even more.

A mobile Botnet being able to DoS targets with smartphones and it wouldn't be limited to just internet, it could be done with the phone/sms aspect as well.

Re:Anti Virus?

[SQLGuru]

Wait, you have to plug your phone into your computer? My WinMo phone syncs via Bluetooth (and if I had a data plan, would sync via the 3g).

Actually Kaspersky has a mobile AV that's been available for a while: http://usa.kaspersky.com/products_services/mobile-security.php

Re:Anti Virus?

... If that works for the masses it could be a nightmare for Richard Stallman, because it'll probably spread from there to the desktop.

I think I'm getting tired, because for a couple seconds I had some really strange imagery going on.

Re:Anti Virus?

Actually, Apple's way of doing it is to have complex analysis, bounds checking and simulation tools they run on your code before the approve. I'm not saying it's foolproof. It's just one case where not being open has its advantages

Re:Anti Virus?

[FatdogHaiku]

wait, you mean i have to trust the code i execute?

Only on devices you want to reliably and securely use...
it's kind of like that rule about only flossing the teeth you want to keep.

Re:Anti Virus?

[Skuld-Chan]

Haven't read the article yet - so I wonder if this affects stock android phones. The default setting for android is not to install anything unsigned.

Re:Anti Virus?

[Kingrames]

"I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years."

The room does not become empty when you close your eyes.
- Quote mangled from a joke taken from the Jargon File.

Re:Anti Virus?

[grcumb]

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware.

Can you explain precisely what you mean when you use the term 'unlocked'? You're almost certainly wrong no matter which sense you use it in, but I want to make sure I refute the proper argument. 8^)

Okay, seriously: The valid part of your statement is your mention of 'unsigned software', which I take to mean the Microsoft approach of allowing all comers with little more than a 'caveat emptor' to protect the person who installs it. If that's the case, then yes, it is a design liability.

But even then, it's not inconceivable that a phone maker could sandbox all applications and police the hardware itself, showing the user explicitly what each app is doing, or autonomously applying certain sane rules.

There's no doubt, however, that having central repositories is a useful element in overall system security. Linux and Apple have demonstrated that fairly well.

But none of that has to have anything whatsoever to do with whether the phone is 'locked' or not. In fact, I can't really see how tying the phone to a particular vendor (that is what you mean, right?) has anything whatsoever to do with security. If experience is any guide, this would be counter-productive, because it would encourage vendors not only to go their own way, but to build walls between their respective implementations. Apple notwithstanding, historically these companies handle security very poorly because they see it as a cost centre rather than a baseline requirement.

... Or did you mean 'jail broken'?

Re:Anti Virus?

YM:

Apple's way of checking if an app is valid:

1: Does the app use competing products? Yes, denied.
2: Is the app yet another flashlight or fart app? Approved.
3: Does the app mention Google at all? It's outta here.
4: Does the app do Web browsing? Gone.
5: If it passes all of the previous 4, roll a d6. 1-4, approved, 4-6, denied for some random reason even though other apps got approved with the same issues.

Re:Anti Virus?

[mlts]

I'd like to see an antivirus scanner put into the fastboot or recovery image. This way, if a phone is rootkitted, someone can boot to the recovery, and run Tripwire like software which would catch unknown kernel modules, and for known malware signatures, a signature based AV would deal with those.

However, lets be realistic: AV software is the absolutely last bastion of defense. Before malware can trip the AV software, the OS or application should have dealt with it by either ignoring it and forbidding it to run, or actively killing what it was doing.

Re:Anti Virus?

[symbolset]

D00d - Android is Linux. The only purpose for antivirus in Linux is as a mail filter for Windows mail clients. The solution to this root kit is: don't lend people your phone. The begged question is, "why would I lend someone my phone?"

Re:Anti Virus?

[erroneus]

Don't jump to conclusions about this. A rootkit is not a virus and isn't necessarily malware at all depending on how it is applied and used.

I could describe similar behaving software as an anti-theft and tracking function. Say someone steals my shiny new android phone and I want it back. Once I have some sort of access to the phone, I can ask it to take pictures and send them back to me. I can ask it to get a GPS read and send it back to me. I can ask it to get a log of activities such as options explored and executed, phone calls, text messages, web or other internet activity, track motion and location data to show where the phone has been and when -- anything to help identify where the phone is and who took it. The door to this functionality, of course, would be triggered by a phone call from a particular source (or a particular caller ID) or a specially crafted SMS text message.

This discussion isn't about INFECTING a phone with a phone call or SMS text message. The planting of the rootkit most often comes from the execution of untrustworthy code, for example, a Sony-BMG music CD. The rootkit would be inserted by a game or app that the user himself decided to execute. While there is always the possibility of a web drive-by installation the way we hear about on Windows computers, I think it is more likely that the user would have to be mislead or fooled into running the code to install the rootkit.

Such techniques would be used by both "bad guys" (criminals) and "other bad guys" (law enforcement).

Re:Anti Virus?

Score: 5, Informative

Re:Anti Virus?

[MrHanky]

How exactly is OS X an exception? If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

Re:Anti Virus?

[zuzulo]

VirtualBox on Android. Why not?

Or at least some sort of microkernel based virtualization ... forget about antivirus, firewalls, and all that noise. Just give me a fire and forget OS that is refreshed anew with each power cycle. My cell phone is *supposed* to be an appliance, after all. Keep the data on the network, and refresh the OS from a known good copy every time i turn it on ...

Who am i kidding, there is too much money in OS vulnerabilities for this to ever fly ... ;-)

Re:Anti Virus?

[sexconker]

"Jail Broken" is a shitty term, and it's less valid that the term you're bitching about.

Unlocked (or Application Unlocked) - able to install unsigned/unapproved/unofficial programs
Carrier Unlocked - able to move across carriers (provided the radio and ID methodology (SIM card, for example) are supported
Rooted - Having root access on the phone
Jail Broken - Derp I'm an Apple user derp

Re:Anti Virus?

[JustinRLynn]

Mod parent up, for all the transparency Apple gives developers that might as well be the process.

Re:Anti Virus?

[node+3]

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

It's strange that people seem to always bring this up when no one is making the claim that is supposedly being debunked.

Re:Anti Virus?

[HappyClown]

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

By that logic, if I leave my front door open year round yet don't get burgled, my home must be burglar proof!

Re:Anti Virus?

[MrHanky]

You made the claim that OS X was a rare exception to the rule that unlocked hardware (sic) has a virus problem (or actually: that there is "a huge market for antivirus software" for such platforms). Yet this is blatantly untrue: hardly any OS except Windows (and the Amiga, back in the days) has a huge virus problem.

And now you try to make the argument that OS X has little need for anti-virus software due to there being a disproportionate(?) lack of spyware for the platform. Spyware != virus, and a lack of spyware is hardly unique for OS X either.

At any rate, this story has nothing to do with spyware. The root kit can only be installed intentionally or bundled with another program, as a trojan. Mac OS X already has enough of a trojan problem that Mac OS X trojans have been used to create botnets. You fanboys really are a confused and delusional bunch.

Re:Anti Virus?

Maybe the lack of multitasking will prevent the malware from running in the background. :D

Re:Anti Virus?

The first one is not "unlocked" it is "unverified" or even "unsigned".

Re:Anti Virus?

[Timmmm]

There is already an 'anti-virus' app in the Android market. It has many 5 star reviews, but seeing as there *are* no android viruses yet I assume it just pretends to scan your system and then says 'no viruses found' or something.

Re:Anti Virus?

[LingNoi]

If this is going to work as an anti theft device activated by an sms or phone call how are you going to know which number to call? The first thing a criminal does when stealing your phone is to take the battery and sim out.

Re:Anti Virus?

[Evtim]

Can I have JUST a telephone please? You know, just to make calls.

So, they are killing the ohh, so dangerous open PC's for the sake of ooops, so dangerous "appliances". Mission accomplished!

Re:Anti Virus?

[debatem1]

There's two problems with this: first, the difficulty of implementing it- porting an existing system can basically be ruled out by the use of Bionic and the tight performance constraints- and secondly there's the problem where the phone's only defense is to power cycle constantly, which is just as bad as having malware on it in the first place. Neither of these is impossible to overcome, but its hard enough that I decided not to pursue it something like a year ago, and I'm something of a project masochist.

Re:Anti Virus?

[debatem1]

Amen. TFA implies- though it doesn't directly state- that this took root privs to install in the first place, at which point I don't need to remotely enable the malware- I've already got the ability to do whatever the hell I want.

Re:Anti Virus?

[delinear]

But then how would the AV producers sell you the same product twice? Incidentally, to answer the original question about AV proliferating on mobile phones, there are already several products out there - I'm not sure what they actually do, since I've not heard of any mobile virii in the wild affecting these devices, I suspect they just scan for Windows virii to protect your OS when you hook up the phone as a mass storage device. I'm more than happy to install AV on my phone as and when someone demonstrates the need.

Re:Anti Virus?

[maxwell+demon]

Not burglar proof. But obviously very unattractive for burglars.

Re:Anti Virus?

[delinear]

Actually, there's already an App on the Android marketplace that does what you describe. I think you can call, email or SMS your mobile with a command that will enable a bunch of features, such as getting the GPS location via an online service, disabling or password protecting the phone or even triggering it to start beeping at full volume every time it's turned on. There's even an App which will check for the sim card being replaced and will alert you to the location of the phone when it's switched on. Okay, none of this will defeat the really determined thief who steals the phone and immediately removes the sim and flashes the thing, but against casual theft it's pretty useful and a great advertisement for the open nature of Android development.

Re:Anti Virus?

[delinear]

Unless he wipes the OS too, there's already an app that, when your sim card is replaced, will send you a text message or email with the GPS location of the phone. If you have it send a text message, you also get the number of the new sim, so you can go directly to the police with the (reasonably) exact location of the phone and the contact details of the registered purchaser of the sim.

Re:Anti Virus?

[delinear]

Of course, if you wanted people to think it was worth using, you'd occasionally flag up some "found 8 viruses, all successfully removed" kind of messages :)

Re:Anti Virus?

[delinear]

It's to be expected, we all know what a massive issue viruses are on Linux, so we shouldn't really expect a Linux-based phone to be any different. Oh, wait...

Re:Anti Virus?

[Keeper+Of+Keys]

#4 is inaccurate - Opera mini has been approved for iPhone.

Re:Anti Virus?

"Signed" in Android terms doesn't actually mean much. Developers self-sign their apps. The point? I really don't know. What you're talking about is the setting that allows users to install apps from sources other than the Market.

Re:Anti Virus?

Who's stopping you from buying a plain cell phone? Spend $50, get an unlocked quadband GSM phone that works anywhere in the world, and the battery lasts nearly two weeks. I had one from Samsung for a while, it worked great.

The rest of us want some kind of highly portable computer that also happens to make phone calls. And we pay quite a bit more for that.

Re:Anti Virus?

The problem is that in the world of cellphones, 'unlocked' already has a very specific meaning -- that the phone is not tied to a particular carrier and can be used with any one so long as the correct radio transceiver is in it. Using the term to now mean something completely different just leads to confusion and dilution of the meanings.

Isn't this exactly the sort of thing that geeks always get upset about (hacker, bricked, etc)?

Re:Anti Virus?

[kav2k]

You can't even make a proper table for d6 results..

Re:Anti Virus?

I think you're being a little pedantic about the use of the terms spyware, virus, and trojan.

Every virus and trojan I've run across in the last year has carried some kind of spyware payload. Every one. Enough so that I'm starting to think of them all the same way.

I only mention this because the pedanticism detracts from your other points, which in my opinion are quite valid.

Re:Anti Virus?

Mac OS X already has enough of a trojan problem that Mac OS X trojans have been used to create botnets.

[citation needed]

Re:Anti Virus?

I hope not. The constant definition updates would use up my whole data plan very quickly.

Re:Anti Virus?

[quacking+duck]

Mac OS X already has enough of a trojan problem that Mac OS X trojans have been used to create botnets.

[citation needed]

From Tuesday's Fox News of the Apple world, MacDailyNews itself:
http://macdailynews.com/index.php/weblog/comments/25439/

The software (screensavers mostly, but at least one application) was listed on several major, reputable Mac software aggregation sites.

Perhaps not a botnet this time, but after giving the admin password during installation, any payload could have been installed.

Re:Anti Virus?

[dougisfunny]

Which isn't a real browser anyway.

Re:Anti Virus?

[Fr33thot]

He's not being pedantic. It may or may not be true that "Every virus and trojan I've run across in the last year has carried some kind of spyware payload." The reverse of that is not true. So someone saying "OS X has little need for anti-virus software due to there being a disproportionate(?) lack of spyware" may actually be thinking spyware only comes from SPAM. People like that are less likely to adopt safe surfing practices and contribute to the spread of malware. There IS value in being accurate here.

Re:Anti Virus?

The point is so that when you update that app, you know that the update is coming from the original author.

Android also has some pretty good access controls in that every app will tell you what features of the phone it uses, so when you download a fart app and it tells you "this app uses the internet connection and the GPS radio" you might think twice. Or not: users are pretty stupid, after all.

Re:Anti Virus?

[12345Doug]

Is there any reason to run antivirus on PCs any more? I've taken mine off a long time ago. Most virus' (viri????) I've found come in the form of email attachments and there is always a virus check from the server on that. Other than that it's mostly trojans and malware from websites. Malwarebyes or similar malware checking software is as about all I bother with. And I even wonder about that as I need to manually delete some of the stuff anyway. If that's the case why bother at all?

Re:Anti Virus?

[knarf]

That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

Eh? Assuming that you are talking about the user installing software instead of the software installing itself without the users approval please elaborate why OS X is an 'exception to the rule'? If you install 'see dancing bunnies NOW' on anything Apple you're just as p0wn3d as you would when you install it on anything else.

And 'price you pay for unlocked hardware'? Bovine Excrement de luxe! Those locks are not there to keep the crooks out, did you think that was the idea? I don't have a single bit of locked hardware but have no fears when I apt-get whatever. No locks needed. They are there for YOU.

Don't believe everything the Apple priest says.

Re:Anti Virus?

Maybe. It sounds like the main premise of this rootkit is that the user elects to install it (and then once they do that, the phone has two masters). If they are predicting that a rootkit like this is a practical threat, then they're predicting that users will elect to install malware. Given a situation like that, an AV market should exist, as well as some other normally-unnecessary things.

Re:Anti Virus?

[hitmark]

the osx "exception" is more a case of obscurity then by design.

heck i think its shown that osx have the worst security of any *nix out there.

Re:Anti Virus?

[LongearedBat]

Oh, I thought rooted meant f*#!ed. ;)

Re:Anti Virus?

[hitmark]

but can you trust the hardware?

Re:Anti Virus?

[v1]

Perhaps not a botnet this time, but after giving the admin password during installation, any payload could have been installed.

"User gives random downloaded software his admin password and bad things happen. Film at 11."

duh. The reason this is not common on the mac is you haven't completely compromised the machine at that point. Doing things like enrolling in a botnet require additional exploitation. Hence it's far less valuable to trojan a mac user because you've got a lot more work to do still before you own the machine.

The basics of social engineering your foot in the door will always be there, for any platform. What you can accomplish with a mere foot in the door is what defines how many feet you are going to be seeing.

Windows security is not well layered, it's more absolute. You're either a basic user that can't do a lot of things that many users need to be able to do, (discouraging people from even wanting to BE a basic user) or you're essentially root. One exploit = totally owned.

Re:Anti Virus?

[FatdogHaiku]

As much as you can the network, I guess...
So, no, probably not...
Geez, I hope we don't end up having to go to RadioShack to get a cell phone kit and a tiny soldering iron tip.

Re:Anti Virus?

Slashdot's way of modding posts:

1. Is it anti MS? Mod up.
2. Is it anti Apple? Double plus good, mod up.
3. Is it anti Google? Mod it into the dirt, then pee on grave.
4. Did it add any value to the original topic of conversation? No? But did it include any of the above? Then MOD UP!

I'm just saying, sometimes it takes a long scroll through the page to get to any meat.

Re:Anti Virus?

[hitmark]

if the kit contains microchips you may still be up shit creek...

Re:Anti Virus?

[omega_dk]

No, it works. On a 4 it's accepted, then later pulled for a random reason.

Re:Anti Virus?

Get yourself some industrial strength douche. About 50 gallons. Climb into the barrel, and pull the lid back onto the barrel. Have someone bolt the lid for you. We'll all feel better.

Re:Anti Virus?

[jedidiah]

...in the end we are still left with some bog standard basics.

1) Don't take candy from strangers.
2) Don't let your email app take candy from strangers.

Once you've eliminated the automated attack vectors, you cut down on the
vulnerability of a platform nearly completely. End users have to go out
of their way to hurt themselves. Some people want you to believe that only
an environment like an iPhone is safe but that's bullshit with plenty of
counterexamples.

Even the Mac (overall) is an effective counterexample.

There is simply no "clear and present danger" that warrants giving up all of our computing freedom.

Microsoft has conditioned everyone to think PCs are unavoidably crap and Apple is willing exploit that ignorance for their own gain.

Re:Anti Virus?

[node+3]

You made the claim that...

No I didn't. That was someone else. I made the claim that v1 didn't make the claim that you were debunking.

And now you try to make the argument that OS X has little need for anti-virus software due to there being a disproportionate(?) lack of spyware for the platform. Spyware != virus, and a lack of spyware is hardly unique for OS X either.

I claimed that Mac OS X was uniquely lacking spyware, I said it was disproportionate in the problem it has with spyware. You don't get to make points by attacking things people aren't saying.

As for virus vs spyware, I never said there wasn't a difference. I was agreeing with the reason Mac OS X doesn't need antivirus is that there is very little problem with spyware. You may not know this, but antivirus software also targets spyware (maybe you should send them feedback telling them that "virus != spyware", and see how they take it). I was actually being kind to your point, however, while there is a small amount of spyware for the Mac, there are zero viruses.

At any rate, this story has nothing to do with spyware.

That's not true. The story talks about collecting personal data from the phone. But that doesn't even come into play as what I was replying to was what you said, and you were replying to someone who was talking about antivirus and malware. As far as both the thread goes, and as the story itself goes, I was entirely on topic.

Mac OS X already has enough of a trojan problem that Mac OS X trojans have been used to create botnets

Please quote where I or the OP said otherwise. As for myself, I said that it isn't much of a problem, and it isn't. I don't know of an actual botnet. Maybe there has been one (I'm suspicious of your claim), but as things currently stand, all forms of malware, whichever category you wish to limit yourself to, or all combined, Mac OS X does not have a problem with them. There are a few examples of spyware, and a Trojan or two, etc., but that's about it.

You fanboys really are a confused and delusional bunch.

What's confused and delusional is what you seem to think anyone here is saying. You keep replying with straw men. When someone says you don't need antivirus on the Mac, that doesn't mean they said, "OS X has effective protection against trojans and root kits".

Try responding to what people have actually said next time.

Re:Anti Virus?

[node+3]

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

By that logic, if I leave my front door open year round yet don't get burgled, my home must be burglar proof!

Please explain how your analogy is correct. Specifically, quote where I said Mac OS X is spyware-proof (or anything else that validates your analogy).

Oh wait, maybe first you could simply quote the part you left out where I said the exact opposite! Here, let me save you the trouble:

If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

It's strange that people seem to always bring this up when no one is making the claim that is supposedly being debunked.

Doesn't really help your case, I can see why you left it out. Not terribly honest on your behalf, however.

Re:Anti Virus?

[MrHanky]

Ah, yes, you and v1 are obviously different people. Sorry about that -- as you seemed to be explaining what v1 had meant to say, I expected you to be him. Still, you don't have a point. There's nothing disproportionate to Mac OS X's lack of spyware -- spyware is pretty much a Windows only thing. So OS X isn't an exception due to a disproportionate lack of spyware. BeOS, Linux, *BSD, OS/2, AmigaOS, Hurd, Plan9, all are just as "few and far between".

Also, this story is about a rootkit. Of course a rootkit can be used for spying, just like it can be used for absolutely everything else, but spyware is so much less. In reality, a rootkit will be installed either on purpose or as a trojan. In the context of this discussion, it has to be discussed as a trojan, which is something AV software should take care of. Like v1 said: protect the users against themselves. OS X offers no particular protection against trojans and does in fact have a real problem with it (use google for OS X + botnet). So, to recapitulate: OS X is nothing special.

Re:Anti Virus?

The random number is 4. so it falls into both approved and denied categories.

"RFC 1149.5 specifies 4 as the standard IEEE-vetted random number."

Re:Anti Virus?

[node+3]

Still, you don't have a point. There's nothing disproportionate to Mac OS X's lack of spyware -- spyware is pretty much a Windows only thing. So OS X isn't an exception due to a disproportionate lack of spyware. BeOS, Linux, *BSD, OS/2, AmigaOS, Hurd, Plan9, all are just as "few and far between".

Mac OS X is the number 2 operating system, at around 10% of users, but is not the number 2 operating system in terms of malware (Linux is #2), and it also has far less than 10% of the malware out there.

BeOS, Linux, *BSD, OS/2, AmigaOS, Hurd, Plan9, all are just as "few and far between".

And all of those OS's combined make up less than the Macs market share. I never said they had a lot of malware or anything like that.

Also, this story is about a rootkit. Of course a rootkit can be used for spying, just like it can be used for absolutely everything else, but spyware is so much less. In reality, a rootkit will be installed either on purpose or as a trojan. In the context of this discussion, it has to be discussed as a trojan, which is something AV software should take care of.

I was replying to the topic of OS X not needing antivirus software. You can't arbitrarily limit the topics I can discuss, especially if those topics address a comment someone has made. For example, I can't tell you not to bring up OS/2 because this is a story about Android.

OS X offers no particular protection against trojans

No one said it it. It was only *you* who are claiming that that's what people have said here.

and does in fact have a real problem with it (use google for OS X + botnet).

That's an absolute lie. Mac OS X does not have a "real problem with trojans". There are Mac OS X trojans, but they aren't a problem. They are a rarity.

So, to recapitulate: OS X is nothing special.

Please quote where I said it was, in terms of being somehow immune or otherwise significantly resistant, technologically, to spyware, trojans or rootkits. All that I said is that Mac OS X doesn't need antivirus software because it doesn't really have a malware (of any type) problem. Just because there exist a few trojans does not mean that it's a problem. People still die the bubonic plague, but it's not something any rational person would classify as a problem.

Re:Anti Virus?

[MrHanky]

So, to recapitulate: OS X is nothing special.

Please quote where I said it was, in terms of being somehow immune or otherwise significantly resistant, technologically, to spyware, trojans or rootkits. All that I said is that Mac OS X doesn't need antivirus software because it doesn't really have a malware (of any type) problem.

In your first comment of this thread: "[It's exceptional] Due to the notably disproportionate lack of spyware on the Mac." My argument is simply: It isn't notable or disproportionate at all. OS X is no exception. Linux does have more rootkits (it's both older and much bigger on the server than OS X; the typical Linux install running services open to the net), but no more spyware, and fewer trojans (due to less (pirate) software being downloaded from dubious sources).

So: Your claim is that OS X is exceptional. My claim is that 1) it isn't, and 2) neither does it have any special resistance. I can say 2) without you claiming the opposite.

Re:Anti Virus?

[node+3]

My argument is simply: It isn't notable or disproportionate at all. OS X is no exception.

And my argument is you're wrong.

I don't think anyone is disputing these facts:

1. Windows has ~90% market share, but well more than 90% market share of malware.
2. Mac OS X has ~10% market share, but has well less than 10% market share of malware.
3. Linux has a couple percent market share, but has more total malware, than Mac OS X.

In that scenario, Mac OS X most certainly does stand out particularly uniquely. In other words, in relative terms, both Windows and Linux have more malware than Mac OS X. Not only that, but they each both have more total malware than Mac OS X, even though one of them has significantly less market share.

Yet somehow you claim that <waves hands> and therefore <something vague> Mac OS X isn't special.

it's [Linux] both older and much bigger on the server than OS X

Aside: OS X predates Linux by many years, as it's the modern version of Nextstep.

Linux does have more rootkits (it's both older and much bigger on the server than OS X; the typical Linux install running services open to the net), but no more spyware, and fewer trojans (due to less (pirate) software being downloaded from dubious sources).

This is an example of your creative interpretation. Taken in total, there is more malware for Linux than there is for Mac OS X, in spite of Mac OS X's market share being many times that of Linux's.

So: Your claim is that OS X is exceptional. My claim is that 1) it isn't

A claim you've yet to support. All you've said is "There is spyware on the Mac, Google it!" and "Linux, um... something something".

and 2) neither does it have any special resistance.

That wasn't what you said, though. You said, "If you think OS X has effective protection against trojans and root kits, you're deluding yourself." That was a straw man argument which I was calling you out on.

Re:Anti Virus?

Bad Aussie! No meat for you.

Re:Anti Virus?

[MrHanky]

You're being dishonest. Your original claim was spyware specifically. There's no more spyware on Linux than on OS X (~0), no more viruses, and no more trojans. In addition, you can't pretend a 10% desktop userbase (a gross overestimate: it's between 5% and 8%) equals a bigger share on the server, which is the main attack vector for Linux; unattended servers getting rooted. OS X is entirely irrelevant on the server, whereas Linux is pretty big. NextStep was never used on the server, btw. So, let's say Linux is rooted more often than OS X -- for computers open to attack from the internet, Linux has 172 times the installed base of OS X.

Also, I haven't said there is spyware on the Mac. In fact, I've said there's none, and that there's nothing special to it. You still haven't pointed out any spyware for Linux.

Re:Anti Virus?

[zuperduperman]

> "Signed" in Android terms doesn't actually mean much

Well, it does in a way. Assuming the app came from the market then it means Google has established a real world relationship to a real world person based on that signature (usually, because they have done a credit card transaction, etc). So when you get an app from the market that turns out to be malware you (or Google) actually have a provable link to the person that distributed it to you and also non-repudiatable evidence that they intended to distribute it (because they signed it). Which all means that in theory you could sue the person who gave you the malware.

I think deterrent effect of this is probably the main reason we haven't seen much malware yet.

Re:Anti Virus?

[zuperduperman]

The problem is, permissions are an all or nothing choice and many applications request privileges they don't really need (knowing your location one of the most common ones, often to present targeted advertising), so people are pretty quickly get used to just clicking OK to everything.

What I wish is that each security option was a checkbox so that I could install any app but deny it select privileges. When you deny privileges the app would still "work" but it would actually be talking to a stub for the real function (such as GPS or sending SMS) that fakes the function out. Authors could still code their apps to detect this and deliberately fail but by default their apps would "function" and you could evaluate how much you trust it before you turn on the full permissions.

[A good example: I like "fring" as a Skype substitute but I hate the fact it can send SMSs. I worry that if they turn evil they may start sending spam SMSs using my phone. I would love to be able to tell it to just give fring a fake SMS function but let the rest of the app work.]

Re:Anti Virus?

[LingNoi]

Yeah, but that wasn't the GPs point which was an app that's activated by calling or sms. Obviously a device that it activated by some other means would work.

Re:Anti Virus?

[node+3]

You're being dishonest. Your original claim was spyware specifically.

It was an example, not an exhaustive list. Like I said later, I was being kind to you by not saying virus, which the Mac has none.

There's no more spyware on Linux than on OS X (~0), no more viruses, and no more trojans.

Now who's being dishonest? You've notably left out root kits.

In addition, you can't pretend a 10% desktop userbase (a gross overestimate: it's between 5% and 8%) equals a bigger share on the server, which is the main attack vector for Linux; unattended servers getting rooted.

I never said anything about servers. I'm talking overall numbers, and I'm correct (within reason, I also didn't say "exactly 10%", but "~10%", which is reasonably accurate enough for this discussion).

NextStep was never used on the server, btw.

Ignoring the fact that the first web server ever was a NeXT cube, NeXT's server market share is irrelevant. You claimed that Linux was around longer than Mac OS X, which isn't exactly correct (neither is the claim that Nextstep was never used as a server, but that's completely off topic and irrelevant).

So, let's say Linux is rooted more often than OS X -- for computers open to attack from the internet, Linux has 172 times the installed base of OS X.

Your insistence on limiting the discussion to servers is not reasonable on the topic of Mac OS X not needing antivirus software. Why are you so touchy on the topic of Linux? It has a significantly smaller market share than Mac OS X, and more malware. Both true facts, and the relative shares of Mac OS X and Linux on the server doesn't change that.

Also, I haven't said there is spyware on the Mac. In fact, I've said there's none, and that there's nothing special to it. You still haven't pointed out any spyware for Linux.

I never said there was, I said "malware".

Of the two topics, we're not going to agree on the status of Mac OS X and malware. The numbers indicate something out of the norm, but you just don't care. Admitting that there's something there doesn't mean you have to like Apple or anything, but to be so obstinate on the topic is puzzling. Theory is one thing, but what's actually the case should count for something, shouldn't it?

As for the second issue, your straw man about people claiming Mac OS X is somehow immune to malware, I assume that you have ceded this, since you've chosen not to address it.

Hacking mobiles

[lobf]

Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as they increase in popularity? I'm not being facetious, I come here because I don't know these answers.

Re:Hacking mobiles

Imagine a mobile based botnet?

The SMS market alone would be huge, say sign 10,000 phones to those crappy subscriber ring tone companies, etc ... the are possibilities endless.

Re:Hacking mobiles

[Seth024]

That's certainly possible.

The big problem I believe is that there are so many different operating systems (Symbian, iPhone OS, Android...) that all have a part of the market. Being able to write a virus/find a backdoor to control 90% of PCs is very profitable. Just like there are not many people writing virusses for Mac OS or Linux, there are not many viruses for mobile phones (yet).

Re:Hacking mobiles

[digitalchinky]

It used to be in the Symbian S60V2 era. These days as a result of commercial entities wanting to eliminate piracy and others wanting to make wads of cash through sales of certificates, your average cell phone is pretty much locked down. If you want to install an application capable of doing anything more complex than "Hello World" you'll need to have it signed first.

That said, not all handsets are closed, the Nokia N900 comes with its own xterm right out of the box - root is just a 'sudo getroot' away : ) Applications are trivially simple to install. I don't believe Nokia has sold terribly many of them, so I can't imagine it's a popular target for crapware.

Re:Hacking mobiles

[erroneus]

A LOT of useful data on an individual could be collected from smart phones including where they do business and other commerce. So instead of sending out random spam/phishing emails that alert and confuse people because they don't have an account at "Bank of Whatever." They could identify, among other things, what banks and shops they have visited and then send them targeted attacks saying "your recent visit to has made you eligible for this special offer. Please go and sign up for and provide your personal details now!"

The more focused such things can be, the more believable they become. Not only could banking information get compromised, but other financials/personals as well. And this phishing would no longer need to appear to come from banks, it could then come from Best Buy or whatever store you might buy expensive things from.

Re:Hacking mobiles

[delinear]

I would have thought, if it was easy, it would certainly already be happening. The smartphone market might be small compared to a desktop OS like Windows, but the possibility for profit is much more immediate, since you have a device which can connect to premium services without any further need to obtain secure passwords or banking details, etc. from the owner. You just set up a premium number in a foreign locale, have the software wait until the phone is idling (on charge maybe, and not been touched for a couple of hours, so you can assume the owner is probably asleep) then have it dial into your number and rake in the money. Much simpler than monetising a botnet, to my mind. And while the proliferation of smartphones amongst the masses is a recent thing, there have been smartphones in widespread use, in business particularly, for many years - including Windows mobile (if I had to put my trust anywhere, it would be in a *nix derived OS).

That's not to say it won't happen, but I'd go out on a limb and say the only attacks we're likely to see in the near future are of the social engineered, trick/entice the user into installing an app with a trojan piggybacking. While people are dumb enough to fall for such attacks there'll be little benefit in writing real viruses. One thing I like about the Android OS is that, when I install a piece of software, it will flag up all the phone processes that the app needs access to (so I can be justifiably suspicious if the new screensaver I'm installing wants access to the phone's dialling ability).

Re:Hacking mobiles

[TyFoN]

You can install unsigned applications on Android as well.
But to install a rootkit (as described in TFA), first you need to find a telephone that is rooted and has a custom rom that has a custom kernel that enabled the loading of kernel modules. Then you need to get the user to actually install the trojan and click "yes" to the "do you want this to run as root". A person with a phone in that configuration is unlikely to click yes for a game or something like that anyway.

lol

[larry+bagina]

Microsoft Talks Back To Google's Security Claims -- coincidence?

Re:lol

...this "exploit" exists on every phone/pc/mac on the planet.

If they user installs an app and says "yes I give you access to every permission you want on my phone"... then they fucking deserve to be hacked.

Re:lol

[maxwell+demon]

...this "exploit" exists on every phone/pc/mac on the planet.

No. It clearly doesn't exist on traditional phones. You cannot install apps on them.

Don't worry, be happy!

[jo42]

Google will fix it in 2.3 Sherbet.

- T. Roll

Re:Don't worry, be happy!

....this "exploit" is on every phone/pc/mac on the planet.

Re:Don't worry, be happy!

2.5 Chocolate torte. Mmmmm.

Re:Don't worry, be happy!

It's not a bug. They say "once it's installed." This isn't a rootkit, it's just an app that responds to incoming calls (anyone can do this now). There would still need to be an exploit to get the app installed in the first place. The title is certainly a little misleading.

Re:Don't worry, be happy!

[masterwit]

It's not a bug.

It's a feature!

Re:Don't worry, be happy!

[JonJ]

Which you'll have to get a new phone to get, since none of the carriers nor the supplier of the phones have a proper upgrade plan.

Re:Don't worry, be happy!

[worx101]

You cannot fix stupid... If a user installs it and accepts everything and the kitchen sink(even if they mean to or not) then there just is no protection against that.

Re:Don't worry, be happy!

[FunkyELF]

I don't see what there is to fix.
The nice thing about an open platform is that you can install anything you want.
Just un-check the box that only lets you install from trusted sources.
The article simply said "Once it's installed on the Android phone".
Later on it said it ran as a kernel module. I bet this is only installable voluntarily by someone with a rooted phone anyway and I say if the user wants to install a root-kit, let them install a root-kit.

just like installing a trojan on your computer!

...which could let the hacker get access.

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And the ability to "listen" for a call is called a BroadcastReceiver. It's nothing special or hackish. Think a trigger ruleset for Android like you have for your mail client.

Good god.

Re:just like installing a trojan on your computer!

[clang_jangle]

Yep, it's a trojan.

From FTFA:

Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS (short message service) message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. "You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program]," said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research.

Re:just like installing a trojan on your computer!

[AndroidCat]

(If they can rootkit my Milestone down past the locked loader, I want to know how! [Yeah, of course I got an Android phone, it was .. destiny.])

Odds are there are far more stupid "smartphone" users than PC/Mac ones.

Want to tap virgin pools of stupidity? There's an app for it!

Re:just like installing a trojan on your computer!

[JaZz0r]

What Android version(s) does this affect? The latest public release (v2.1 stock) hasn't even been rooted by the mod community.

Re:just like installing a trojan on your computer!

[SQLGuru]

All it takes is one cool app that people want (say, a really cool free Tower Defense game) that incorporates the Trojan. The point of the Trojan is that is pretends to be something you want to get you to install it. Until someone figures out that it's a Trojan, it'll spread like wildfire.

Re:just like installing a trojan on your computer!

[mlts]

Even if a user gives permissions, they may get their account and messages compromises, but unless there is an exploit the malware uses that isn't known by the modding/rooting community, there is NO WAY that something installed as an APK in a user account on a phone is going to be able to get root access to drop in a kernel module. Even if it did, phones like the Motorola Milestone have signed Linux kernels and are not built with the ability to load modules, so all it would do is nothing or cause the phone to bootloop.

Don't forget, that a lot of kernels on Android phones are built monolithic and not allowing kernel extensions. A custom kernel that is explicitly built to allow .ko files on a G1 is likely what is needed for this exploit.

I can see three ways that this kernel rootkit (which is nothing new -- there have been Linux kernel modules for rootkits since the late 1990s) can get on an Android device, and all three require a rooted phone:

1: The app masquerades as a root utility. There are some utilities which are very useful for rooted phones. Droidwall, Autostarts, Wireless Tether, Wired Tether, root explorer, Titanium Backup, SQLite Editor, and a terminal emulator are must have utilities, because they add a lot of useful functionality. I can see a utility masquerading as something useful for rooted phones, getting installed, then going to town on the phone, replacing BusyBox with a utility that hides the rootkit, opening up a command port, and so on.

2: Some malware is put on a custom ROM. This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

3: An app gets access to the SD card, manages to alter nandroid backups on the card and/or add an update.zip file which is signed, and then runs an update. This way, the malware package would be sucked in implicitly.

So, for the average user with Android, a rootkit isn't going to happen unless it uses an exploit, and these days, RAMDLD exploits and such are rare for phones.

Re:just like installing a trojan on your computer!

[mlts]

Maybe this is where Android "fragmentation" might be good. An exploit that works for Android 1.5 and the Samsung Behold 2 likely won't work on a Droid running 2.1, especially if it uses a kernel module, and will almost definitely won't work if neither phone is rooted.

Re:just like installing a trojan on your computer!

What can we do to defend against this? To prevent most trojans, we could make sure only known (trusted) users can sell applications. That would require a centralized application marketplace. But even with service representatives pouring over each app for weeks, they aren't going to catch everything. Some apps might have malicious code that doesn't become apparent until long after its installed. To minimize the problem, there should be some way to remote wipe any apps known to be malicious. That way, even a time delayed trojan can be removed from all the phones in the world within hours of being discovered. I bet if we put these kinds of features in place, the geek community would praise us for being forward thinking, and commend our work!

Re:just like installing a trojan on your computer!

Yes because I won't be suspicious when a Tower Defense game asks me for permission to intercept phone calls???

Re:just like installing a trojan on your computer!

This is a dumb idea that would cause massive backlash. It would be like treating all your customers like idiots without the sense to look after themselves. Actually people are idiots without the ability to look after themselves so it would probably take off and spread like wildfire through the mildly retarded public.

Re:just like installing a trojan on your computer!

[RenderSeven]

What can we do to defend against this?

Generally, dont lend your phone to security researchers at hacking conferences. Writing a rootkit makes good headlines but the article says they freely admit they dont have a clue how to install it with a rogue application.

Re:just like installing a trojan on your computer!

[Securityemo]

Something being "special or hackish" doesn't matter, as long as it works. The only reason to use convoluted-but-well-known methods instead of the platform API is to dodge security; there is no reason to do such things if there's nothing to dodge.

Re:just like installing a trojan on your computer!

[toadlife]

This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

It wouldn't kill the scene, but it would certainly encourage ROM makers to provide checksums for/sign their releases and not preconfigure the OS to be so promiscuous.

I cook my own Windows Mobile ROMs and sign every custom exe and dll that I insert into the ROM with my own self generated cert and pre-confgure the OS to trust that cert. Most (Windows Mobile) ROM makers just configure the OS to allow unsigned apps by default.

Your idea is a good one. If/when I decide to release my ROM, I will provide checksums for the image.

Re:just like installing a trojan on your computer!

[toadlife]

And your reaction to it is pure hilarity, moron.

Re:just like installing a trojan on your computer!

[mlts]

It sounds like you know what you are doing and are able to cook ROMs worth downloading. I just think that because compromising phones is so lucrative [1] that it will only be a matter of time before the modding community (be it Windows Mobile, Android, jailbroken iPhone utilities, even the N900) will be strongly hit by this. This is why I like the idea of PGP/gpg signing ROMS, and perhaps urging a popular modding forum (xda-developers, modmymoto, etc.) to sign and store copies of developers' PGP/gpg keys for easy retrieval and validation (so someone impersonating a dev cert wouldn't go far.)

I worry about two things when it comes to modding phones: Piracy and compromised ROMs. Piracy gets app developers to put more pressure on Google, phone makers, and carriers to make their devices more hostile. A compromised ROM, regardless of platform, if it affected a good amount of people would cause phone makers and cell carriers to start putting more root-hostile "features" on their devices, such as the signed kernels on the Milestone, to daemons that run that kill any root process that isn't on a manifest list.

At least PGP/gpg signing of ROMs means an attacker has to go to serious lengths to try to get around it, perhaps by hacking one of the bigger Web forums. Even then, if people already have a copy of the public key, it will be obvious that a ROM was tampered with on download.

[1]: Tons of ways to make money from a compromised phone. Repeatedly dial a long distance number, send out spam via SMS, send out traditional spam via a smtp server, grab user contacts and info for use for targeted phishing or extortion, use the phone's storage for a BitTorrent seed or FTP server, use the phone as a proxy to further hide a blackhat's IP tracks, and so on.

Re:just like installing a trojan on your computer!

[khchung]

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And that's exactly why you and many /.ers cannot see the value proposition of the iPhone. For you, the Andriod phone is just a
smaller PC, a general purpose computer, so if a user don't know enough not to install trojans, that's the users problem.

But to the users, the phone is an appliance, that is used daily and contain lots of private information. The last thing I want is for it to crash or got trojan leaking my data. If the cost of that is I have to subject to Apple's arbitrary rules, cannot run flash, may miss out a few "cool" apps, and may not use the hardware to the fullest possibility, then so be it. I would still be using a 2G dumb phone if none of the phones in the market can give me that value.

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

As a user, I don't care if I am not using the hardware to the fullest possibility, what I care is what kind of value proposition the product is giving me.

Re:just like installing a trojan on your computer!

Cyanogen provides md5 checksums of all his ROMS, FWIW.

Re:just like installing a trojan on your computer!

No. All it takes is for one cool app to contain a trojan that can get past Android's sandbox security model and gain root access. This is a bit different.

Re:just like installing a trojan on your computer!

[ady1]

I agree with major part of your post except one small discrepancy. Milestone does not have a monolithic kernel. in fact, none of the android devices do. Simply because a lot of the underlying device drivers are propriety while the Linux kernle is GPL so Module support is a must. Just an example of a thirdparty module with stock kernel: http://code.google.com/p/milestone-overclock/

Re:just like installing a trojan on your computer!

[delinear]

This is simply another case of Misleading Title Strikes Again. From TFA:

On its own, Trustwave's rootkit isn't much of a threat to Android users. That's because a criminal would first need to figure out how to install the software on a victim's phone. This could be done by building the rootkit into a rogue application sold via the Android Market, or by exploiting a new, unpatched bug in Android's Linux kernel that could allow the program to be installed.

So basically it doesn't do anything new - it's trivial to write an app that will redirect a dialled number to a different number, or hijack the browser, the hard part is, and always has been, getting that app onto the phone with sufficient privileges to be able to do these things. Always beware the claims of "security researchers", as this general translates to "people who want to sell you some piece of AV software and therefore have a massive ulterior motive in having you think your hardware is insecure". Until I hear of a valid way for them to get this onto a phone in sufficient numbers to be a worry, I'll not be losing too much sleep...

Re:just like installing a trojan on your computer!

[delinear]

Agreed - maybe just some method of notifying users that $RANDOM_APPLICATION has been discovered to have vulnerabilities, with the option to ignore it, remove it or visit some website for further details. I might have a legitimate reason for wanting the code on my phone (if I'm a researcher, for instance), or I might need to retrieve valuable data before it gets wiped. At the very least, events of the past couple of years show people like to be informed/involved in this process, rather than some process silently modifying their device.

Re:just like installing a trojan on your computer!

[delinear]

What evidence do you have that it's any more or less difficult to execute this kind of attack against the Android over the iPhone? Both have locked down market places where regular users go for all of their app needs, the only difference is that more advanced users can install code from outside the market place on the Android. The kind of users who go to these lengths tend to have a bit more technical savvy, and would likely be the type of people who would jailbreak their iPhone anyway, exposing it to the same risk. What many /.ers object to is not that there is a walled app market, in fact the majority can probably agree that for average users this is a good thing, but that there's no means for the more advanced user to step outside that market without invalidating their warranty. Android shows that it's entirely possible to incorporate both approaches, but if you can demonstrate it's more vulnerable to attacks in the wild because of this, I'm certainly listening.

Re:just like installing a trojan on your computer!

[Pharmboy]

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

But you are a different kind of user, just as iPhone customers are different than Android customers. Some of us WANT to tweak with the phone/system a bit and willing to pay the price, ie: higher likelyhood of issues and higher maintenance. This is the same reason I prefer PC games over console games.

You don't have to be an uber hacker, or even a programmer, to appreciate the ability to tweak things. For you, the phone (or gaming console) is an "appliance". To me, my phone and computers are "tools", which can be sharpened, changed, upgraded, and sometimes broken. It is just a difference in expectations. I"m picking up my first Android in a week. The main reason I am getting one is to be able to ssh into my Linux servers and manage them from anywhere, and I mean anywhere. That doesn't sound like something you would do.

Re:just like installing a trojan on your computer!

AC, this is another AC speaking and *your* comment and the fact that it is +5 interesting is the true epic fail.

It means people, brainwashed by decades of MS dominance, have come to accept that it is normal that installing an app with a trojan can "root" a machine.

I'm sorry, but this is totally wrong. On a correctly designed system an user shouldn't have root abilities and no matter what he does, including installing a program, should **NEVER** result in that program gaining root access to the OS.

The OS should have safety measures in place preventing, for example, any *user-installed app* from calling numbers in Antartica without confirmation.

On a correctly designed system, user "joe" should be able to surf p0rn and install every single p0rn executable from his own account and this **SHOULD NOT** change **ANYTHING** to user "jane"'s account/experience when user "jane" logs in on that same machine.

However decades of insecure Windows experience, augmented by paid MS astroturfers and MS apologist/fanbois, have made people belief it's "their fault" if when they install "untrusted software" their computer starts malfunctioning.

But it really shouldn't be that way.

Actually, if I give a user account on my Linux workstation to someone else and that person manages to screw my system, I consider my Linux distro/install to be broken/misconfigured.

**THAT** is how computer security should be approached.

Re:just like installing a trojan on your computer!

[khchung]

You missed the point. General users don't care about what advance users cannot do. If you want a phone that you can install whatever you want, don't buy the iPhone.

Secondly, whether by genius, pure luck, reality distortion field, crazy app store policy or whatever, Apple has successfully created the iPhone as a platform that can consistently delivery the intended appliance-like user experience.

In contrast, it doesn't matter that you can write 2 papers or win every Slashdot argument that the Android is, in theory, just secure as the iPhone. When users cannot buy from the app store because his country is not supported, when users can only install pirated app because of that (and thus opening the opportunity for trojans), and when apps his friend told him about is invsible because of different OS version, it erodes the user's experience.

Added on that, you got developers who thinks a user installing a trojan is his own fault, implying the user is responsible for learning to use the phone as a general purpose PC, then the phone failed to behave as an appliance, it lost its value for users look for an appliance.

Re:just like installing a trojan on your computer!

[MikeBabcock]

Responding on behalf of the parent, the software has to be installed first. Manually.

Now sure, someone borrowing your phone might do it, but the software has to get onto your phone and be permitted to make these changes first.

This type of rootkit already exists in the form of phone locator software.

Re:just like installing a trojan on your computer!

[MikeBabcock]

You know if you posted other than AC you could answer this ...

But have you seen how the permissions work on Android?

When installing this app you'd have to give it permission to do the things it does. It asks explicitly.

Re:just like installing a trojan on your computer!

No you missed the counter point and only want to drone on about your opinions of Andriod v iPhone. The question is; is Android less secure than the iPhone in the wild. Does the average Android user succomb to installing rootkits on their phone with any regularity. Unless there are some valid statistics collected by someone we are just speculating. Just because someone has developed a way to walk a user through the steps of installing a rootkit on their phone doesn't mean it is or will happen in the wild.

Re:just like installing a trojan on your computer!

[EnglishTim]

I don't see how Apple protects you from a trojan. Apple doesn't audit the source code of every application - they just judge it by using it like any other user would. They may have some tools that monitor what network connections it makes, and probably some code that scans the exe for calls to undocumented API functions, but Apple can't guarantee that any app in their catalog doesn't hide malicious code.

Compare with Android - Google doesn't audit the code at all, but the programs do run in a Java VM which will prevent the program from doing operations it doesn't have permissions for. Permissions required for the program are displayed on installation.

Re:just like installing a trojan on your computer!

[khchung]

Did I ever said the Android is less secure than the iPhone? Arguing about which one is more secure is missing the point, or is a strawman that detracts from the point.

The point is if you want your users to treat the Android as a general purpose PC (ie know enough to avoid installing trojans), then you don't understand what most* people want from a smartphone. The last thing I want from my phone is the cost of ownership of a general purpose PC.

*"most" as evident from the huge sales numbers of iPhone.

Re:just like installing a trojan on your computer!

[khchung]

Compare with Android - Google doesn't audit the code at all, but the programs do run in a Java VM which will prevent the program from doing operations it doesn't have permissions for. Permissions required for the program are displayed on installation.

This is exactly what I mean, treating the Android phone as a general purpose PC.

You expect Joe grandma will understand what "permission" she should "grant" to a newly installed app? Would she even understand what it means? Much less what implication for each permission, or combination of permissions means? How about you company's receptionist? You think she will understand that?

Wow this article makes it so scary

[Technomancer]

From TFA: "The rootkit could also track a victim's location or even reroute his browser to a malicious Web site."
Really? And then what? The malicious website will install another worse rootkit?
It has rootkit! The phone is compromised, all the information you have on it is potentially leaked and the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator. The only cure is to either flash it with fresh OS or burn it with fire.

Re:Wow this article makes it so scary

[fermion]

I agree that for the most part such a rootkit would be more of an annoyance than anything else. Most people don't do serious work on their phones, and so bank passwords and the like should not be an issue. However even annoyances can be an issue. Remember when everyone was up in arms because malicious web site would substitute or create additional advertising? Remember when everyone had a 'helper' browser plugin that would display pop ups and track all you web browsing then send all that data to advertisers? These really caused no problem for the user, but we didn't like then so spent a great deal of time eradicating them. Not scary, not a big problem, but not liked.

Then of course many Adroid users in the US are on verizon, and I assume many have not opted to pay for the GB plan, so are allowed MB per day, which, since Verizon is the best network in the US, has very good bandwidth. It would not be very difficult, therefore, for a marketer to set up background apps to download huge Flash adverts that would generate page views and revenue. Google is not going to care because they get a cut of all ad revenue, and Verizon won't care because they get to charge for excess data. It is win-win.

And, we can't recall one of the oldest trick in the books, which was merely an annoyance so no one really cared. The reprogramming the modem to dial an especially expensive foreign number. In the case of the Android phone, the phone could be set to dial through one of those expensive long distance services like they have at airports, where a three minute call can be billed back to your cell account for $50. It is not in the article, but if I have control of the phone, then it makes sense that I would have control of the call. And who is being called on that phone. For sale to any investigative office that is willing to pay for it.

Re:Wow this article makes it so scary

[Technomancer]

Actually, phone with a rootkit is a very serious problem. Lots of people DO BANKING on their phones, and check emails, and do all kinds of stuff. So their financial and personal information is at risk.
Also, from all phone operating systems out there Android seems to be the safest choice because of the fact that all apps run in their sandboxes and they are just bytecode executed by VM.
But then there is native SDK too, So I guess apps that use NDK would have it easier to root the phone.
I think a real problem for phones (and PCs) is a simple question of trusting the applications you install. It does not matter whether you download it from the web, or install from app store. It does not matter whether it goes through Apple approval or more lax Google app store. The app may just do little more than what it says it does and send your important information somewhere. There is no test that would prevent it. Even though the apps could be revoked it is going to be too late.
The only possible solution is to have application source code available for review and applications compiled from source.
And that is why we need Gentoo for phones.

Re:Wow this article makes it so scary

[maxwell+demon]

And that is why we need Gentoo for phones.

"I tried to phone you last week, but I couldn't. What happened?" - "I was compiling a new kernel."

Re:Wow this article makes it so scary

(it never belonged to you, you realize that, right?)

Weird. I distinctly remember going in to a electronics shop and buying a phone to use with my existing operator, whom I signed up with without getting a phone in the deal.

Not everyone lives in a country where the consumer is raped at every opportunity.

Re:Wow this article makes it so scary

[Fumus]

the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator.

I don't know about you, but I buy my phones myself. It's always cheaper than if I got it on contract and had to pay an X amount of money over Y years.

It will be.

[maillemaker]

>Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as >they increase in popularity? I'm not being facetious, I come here because I don't know these answers. If it's not, it will be. Clearly there is big business to be made in compromising traditional computer systems today. In the early days (and I've been around computers since the TI99/4A) it seems that "viruses" were primarily made as a prank. But today the biggest threats seem to be botnets which are used for profit to either propagate spam and execute denial of service attacks through distributed means, or simply to skim valuable user account data off of the compromised systems. This is all far beyond the amateur pranks of old. It is now done for financial gain. Cell phones have rapidly become computers. All the benefits of compromising traditional computers will likely follow.

Re:It will be.

[maxwell+demon]

Not only that. Attackers could get your phone banking credentials by just recognizing when you call a phone banking number, and then recording the initial part of your phone call and sending the files to the attacker. Remember, as much as smartphones are computers, they are still phones (in principle it could be done for VoIP on traditional computers, too, but I guess few people do phone banking over VoIP). In addition, they often are GPS appliances as well, so additionally an attacker could use them to track you. It may even become a vector for ordinary computer malware: The malware gets onto the phone when synchronizing with the computer, then sends itself to another phone, and then gets onto another computer when synchronizing with that phone. It may be a way to get into computers which are otherwise firewalled well.

Re:It will be.

[TheLink]

With some banks in my country if you want to do certain online transactions on their banking web app, you need to enter an authorization code.

You click on "request code" or whatever and the Bank sends a bunch of digits via SMS to your phone. Yes SMS isn't encrypted, but to me the risk is acceptable for my scenario.

The risks might not be as low fpr people who use a fancy exploitable phone for online banking that's the same as the one that receives that SMS ;).

Talk about misleading headline!

[AC-x]

The headline makes it sound like you can get infected with a root kit from a phone call which is nothing like what's being said, what a load of sensationalist bollocks.

Why would you even want to activate a root kit via a phone call? The phone's got a permanent internet connection so it may as well just poll a server for commands.

Re:Talk about misleading headline!

[Xest]

Yep, I'm trying to figure out what exactly the point of this demonstration is.

It's like the guy in question has just figured out that you can write software that does bad things, not just good things, and so has written a piece to demonstrate this.

What can be done is irrelevant, we already know what can be done, the problem is doing it, and that needs an attack vector, ideally a remotely exploitable one for the "best" hacks, and this guy hasn't found any.

I'm not even sure it serves as an example of the future of malware, it's hardly even imaginative. I suspect future malware threats will more likely involve things like P2P networks setup by the malware itself that is used to distribute updates that provide the malware with new exploits to try infecting other machines with or that receives anti-anti-virus updates to kill off any AV software even if attempts are made to update it. In general, I suspect malware will get a whole lot more intelligent in terms of mining data on infected systems, making users believe there's nothing wrong, and in spreading itself.

The example in TFA demonstrates none of this sort of thing, just stuff that's long already been done. Hell, even my examples are hardly that far fetched, I'm sure some malware out there already does a lot of this sort of thing right now.

Re:Talk about misleading headline!

Polling a server would be noticed in logs. It might be easier to hide as a sleeper cell than as an active cell.

Pure and utter bullshit

You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell

And then he can make the phone emit lasers that will kill your dog and drive your car into a wall!

*sigh*

The thing about a rootkit is that you need root before it works.

Installing an app from Market (or anywhere else) won't do it.

So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.

While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)

This is a total non-issue.

Re:Pure and utter bullshit

[RyuuzakiTetsuya]

or an exploit to escalate privileges to root. :)

Re:Pure and utter bullshit

Did you see that anywhere in the article?

No. They explicitly said that this could be done with a market app.

In other words, they have no exploit. They have no attack vector. This is just bullshit.

Re:Pure and utter bullshit

You have to be crazy to buy an Android phone and not root it. I rooted mine almost as soon as I found out how. Root gives you more options, including the ability to install custom roms, that work even better. I would expect that at least 90% of android phones are rooted, or all those people are wasting their phone's abilities. I got a backup app on my phone. I can wipe and reflash the ROM as often as I want. I do it every time a new version is released.

Re:Pure and utter bullshit

[delinear]

You have to be crazy to buy an Android phone and not root it. I rooted mine almost as soon as I found out how. Root gives you more options, including the ability to install custom roms, that work even better. I would expect that at least 90% of android phones are rooted, or all those people are wasting their phone's abilities. I got a backup app on my phone. I can wipe and reflash the ROM as often as I want. I do it every time a new version is released.

Likewise 87% of all statistics are completely made up without any basis in reality. I'd be very surprised if anywhere near 90%, or even anywhere near 5% of Android users had rooted their phones. Here, the latest Android phones are selling out, they're so popular, I just find it hard to believe that there are that many people competent enough to do this and willing enough to void their warranties. Same with iPhones - I know two circles of people, one technical, one non-technical, while a few of the technical people have jailbroken their iPhones, nobody I know from the non-technical field has done so. I can see why, if you were in the former, you would assume everyone was doing it, but I'm really not convinced that's true (for anecdotal evidence, just look at all the people asking on forums when Froyo will be released for their phone - if they'd rooted them they'd already be able to install it).

I consider myself to be technically competent, certainly I've cracked many devices in the past but only at the point where they no longer do everything I want - so far the Desire has done everything I've asked of it, and I don't want to lose SenseUI and void my warranty until that's no longer the case. Besides which, the users who have rooted their phones are probably the worst attack vector for a rootkit as, if they've any sense at all, they'll be backing up their data like you and they won't be running every piece of junk code they come across without independently verifying what it does.

sooo. yeah?

[Eil]

I'm not trying to belittle these guys' security research or anything, but why is it surprising that you can whip up a rootkit which runs on a phone? Anything with a CPU can have backdoors made for it. The hard part has always been getting the backdoors onto arbitrary devices without the owner knowing about it.

Engineer a computer which can be proven secure and then I'll be impressed.

Re:sooo. yeah?

[ady1]

A rootkit is a program. To make a computer truly secure, you need to remove the ability to run programs. Thus, you need a computer which isn't a comp.... errr never mind.

Re:sooo. yeah?

Engineer a computer which can be proven secure and then I'll be impressed.

That's easy, just lock it down and don't let the user install anything.

Not feasible

Meh fag....Too many sandboxes....not feasible for a mainstream virus. Quote me bitch

This article brought to you by....

[DrPeper]

Apple, and possible in some part by Microsoft. Competition is bad, just plain bad, when are we idiot consumers going to get this through our microscopic minds?!

Code can run on processors if installed properly.

[GNUALMAFUERTE]

Film at 11.

This guys installed a fucking KERNEL MODULE into that system. Well, they can make it receive calls, or they can make it play fucking tetris. It's code. You can write whatever you want, and execute it however you want, if you have access!

Being able to run code in a given processor is NOT AN EXPLOIT, it's just basic functionality. If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?

It would be a vuln if they had the ability to install that fucking rootkit without physical access to the phone. That's the hard part.

Article is FUD and submiter is trolling. 0/10

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Code can run on processors if installed properl

[GNUALMAFUERTE]

Sorry to reply to myself, but this ridiculous "research" comes out a day after Google announces it's ditching windows because it's insecure. Anyone smells microsoft behind this "independent research"?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Code can run on processors if installed properl

[Mark19960]

Or Apple.
There has been a lot of FUD like this lately.

If they target the modding community someone will spot this VERY fast.
If they get this on 10 phones without the owner knowing I would be shocked.

They can do the same to iPhones so like you said, article fails.
Better yet, take the article and replace android with iPhone OS and now you have Apple FUD.

So what ... required physical access

[smart_ass]

If I get physical access to your phone I can install something that can steal all your contact info and CC #s ...
How about I steal the phone, steal the info and then reset the phone and use it myself ... no Rootkit required?

What the hell ... how is this news?

Slow day on /.

Re:So what ... required physical access

[Fnord666]

What the hell ... how is this news?

Apparently it's news to samzenpus, which doesn't say much for the editorial staff here.

Re:So what ... required physical access

[delinear]

It contains the magic ingredients: a product by a popular or well known brand and the word "rootkit". There's probably an automated system to just greenlight all such stories without an editor ever having to intervene.

Wrong title.

[mallyone]

Should read: Android rootkit is just a fud call away.

Seems like a good Proof of Concept...

[HockeyPuck]

Sure the researcher had to write a kernel module etc etc... but how does most malware get on peoples computer? They inadvertently install it because they want IM icons, funny sounds, animated pointers etc etc. So what's to say someone doesn't write some Android application that appears to be harmless yet everyone wants it, then mom/dad/grandma install it?

I would be more impressed if the researcher found a way to get rootkit software through Apple's auditing process.

While I'm no apple fanboy, I would think the average Joe would take solace in the fact that a company is auditing every application that is sold through their store.

Re:Seems like a good Proof of Concept...

[delinear]

Of course anyone could write such an application. It won't have root, though, and it will have to flag up a message specifically requesting access to every process it needs to use at the point of install. If the application can survive not being spotted by someone technically competent and can convince a user that a nice icon pack needs access to their phone's dialling ability, then fair enough, there's not a lot you can do to mitigate this besides locking everything down and vetting everything. If this ever becomes problematic enough, there's nothing stopping Google instigating that kind of in-depth vetting of apps added to their market (or someone else establishing their own market with verified apps).

Re:Seems like a good Proof of Concept...

Sure the researcher had to write a kernel module etc etc... but how does most malware get on peoples computer? They inadvertently install it

Without an exploit that's simply not possible on Android. On Android, every application receives its own user and group id. No application has root access. That means no application can modify another application. Each is completely isolated from everything else on the device. The only exception to this are phones which have been rooted; which include developer phones. And devices which have root access still require the user to explicitly allow root access for the application in the question. The majority of devices do not make root accessible in any way. Which means only the OS and the Android framework (indirectly - framework proper does not actually run as root) have root access. Furthermore, because Android is running on Dalvik, its far more unlikely an exploit is possible given that its a stream of interpreted byte code. This may somewhat change once the Dalvik JIT becomes widely available. Meaning, an exploit may become possible, but still not very likely. Just the same, Android's security and operating model is widely considered the strongest, by a wide margin, of all of the widely available mobile platforms.

Even accessing the GSM modem requires root access. Creating a third party dialer still sits on top of the Android framework, which is then indirectly requesting Android to access its secured APIs which then communicate with a secured daemon, when then communicates with the GSM modem. Its the daemon which has root privileges.

Furthermore, most production builds of Android use a monolithic kernel. This means the KERNEL MODULE, which the author requires, can't even be installed on the majority of Android devices around the world. This in turn not only means you must root the device, but you must then somehow manage to install a new kernel on the device. Add in the fact that this kernel must also account for the various device specific device drivers, and suddenly even this doesn't look very credible; assuming you were willing to completely ignore reality to make this far in the first place.

This is as much a news story as saying, "If you allow a complete stranger into your house, and even provide him keys, we were all shocked to find the place had been robbed." Only an idiot would be surprised by that conclusion and yet that's exactly what the stupid article is asking people to swallow.

Re:Code can run on processors if installed properl

[D+H+NG]

Google announced no such thing. It's a news story from the Financial Times that Google neither confirmed nor denied.

So...Your Soon-To-Be Wife Loads up Your Android

[BoRegardless]

Ahh...open source cell phones give me that wonderful, fuzzy, anti-establishment, broke ex-husband living in a 1 room apartment feeling.

Re:So...Your Soon-To-Be Wife Loads up Your Android

[tmach]

If my wife could create a rootkit, I wouldn't be divorcing her!

Physical Access

[slater86]

Once it's installed on the Android phone

One would assume that if you had physical access to most equipment, its usually game over anyway. No more vulnerable than a netbook really(both being more portable than desktops). Just more people have phones.

Typical Slashdot ...

[P1aGu3ed]

Android Exploit - "FUD, Its simple, not an exploit, its by design, anyone could do it ..." etc etc iPhone Exploit - "Bloody apple, those idiots will ruin the world, what do you expect ..." etc etc Please, the bandwagon is getting full, try getting on another one.

Re:Typical Slashdot ...

[delinear]

There is no magic exploit. If I got physical access to your Android, I could root it then install a rootkit. If I got access to your iPhone, I could jailbreak it and install a rootkit. If I got access to either of your phones, why would I bother when I could just sell them for a guaranteed return? And if I have no access to your phone, how do I root it and install a rootkit? This isn't Apple vs Google, it's AV vendor FUD vs. common sense. By muddying the water you're working against common sense.

Re:Typical Slashdot ...

Payoff for selling a black market stolen cell phone: $150
Payoff for rooting the phone, obtaining your credit card and bank account information: potentially $thousands

Comment removed

[account_deleted]

Comment removed based on user account deletion

FUD

"Android Rootkit Is Just a Phone Call Away"

No it bloody isnt.

There is no such thing as a dial to infect rootkit for android.

Re:FUD

[maxwell+demon]

"Android Rootkit Is Just a Phone Call Away"

No it bloody isnt.

Why? You think they won't send you their root kit if you nicely ask them on the phone? Heck, they may even tell you how to get the thing installed on your phone!

Microsoft Advises his employees

to leave Android and turn to more secure Windows Mobile...

Re:Code can run on processors if installed properl

[maxwell+demon]

If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?

Yes. However, the critical vulnerability in that case would be in the physical security of my home.

Re:Code can run on processors if installed properl

[delinear]

I don't think Apple or MS benefit greatly from this, okay it specifically talks about Android phones, but some mud is bound to stick to them, too. Following the money would suggest AV vendors, who for years have been unable to make much headway selling AV solutions to Linux or OSX users, are suddenly worrying about the possible move to mobile devices which primarily use systems which haven't been subject to masses of viruses. On the horizon, mobiles with tethered devices for applications which require more screen real estate could see the elimination of a desktop/laptop/netbook in many homes, and if it becomes common knowledge that phones just don't get infected, their business suddenly goes down the toilet. Better to get in now with some scare stories about the vulnerability of these devices if you want to sell your product on them in the future.

Once it's installed?

[Rog7]

Okaaaaaaay. What's the point of this article?

"Once it's installed" ...

There's no description or indication of a specific exploit that can be leveraged. In fact the entire premise doesn't require an exploit at all.

You know, once I light a match and burn my phone, it will be burnt! Good grief.

This isn't a threat; it's a tool.

[Dragee]

IMHO, the news here isn't the threat of a malicious rootkit, but the functionality that can be used for other purposes. In a penetration testing scenario, this would be a sweet little tool. Hide an Android phone somewhere in the target facility (or vehicle), and then you can silently call it from across the city/country/world and activate wifi/GPS/camera/microphone.

My android phone also uses USB for charging and data transfer, so it wouldn't be hard to hang it off the back of a PC, place it out of sight, and never worry about the battery running down (my phone doesn't show up to the computer's OS until you tell the phone you want to connect).

Re:This isn't a threat; it's a tool.

[Dragee]

I guess the whole "rootkit" aspect isn't really necessary for the scenarios I described, though. Since one can write their own apps on Android, you could just write your "Pen Testing Suite" and toss it on the phone, without mucking about trying to hide it as a rootkit.

Passwords

wellsfargo.fakebank.com
bankofamerica.fakebank.com
otherbanks.fakebank.com

Keyloggers, the true bane of any security system.

Once it's installed

[Dishevel]

Once it's installed on the Android phone....

samzenpus. You are a fucking idiot. Attention! One the fucking idiot program is installed into samzenpus's cpu he will become a fucking idiot. Too late.

Remember : Apple Just Works

There is an advantage of having control over both hardware and operating system software of a platform. The result of that advantage is all of Aplle's products just works with no problems. Can't say that about Android, Wondows Mobile, or WebOS. All three of those platforms don't adhere to any standards and they are all open to any and all attacks.

Someone rescue the children!

[RichiH]

So you are saying if I install software on a computer, said software can react to incoming data? Their (sic) should be a law against these sort of things!

Coming up next: Man hits self with hammer; feels pain.

PS: Yes, a phone number tends to stay associated with a device which is not true for IPv4. That might or might not change with IPv6.

Re:Code can run on processors if installed properl

Perfect FUD for base users for Apple and Windows against Android phones.

Or any other phone OS manufacturer. Any phone can be compromised in optimal situation. If this was an exploit of a security hole I would be much more worried...... It does not appear to be so meh.

Good that they take security serious

No user will install these programs by themselves, but the problem is if they have jeaulus wifes/husbands and so on. Being able to read your girlfriends sms is very tempting for some people. There have been stories in the news about this happening on s60 (someone _else_ installing spyware to "find out".) I dont know enough about Android to know if this is possible, but anyway its a very good thing that they adress this so it never will be a problem.

Market fragmentation

[thetoadwarrior]

Clearly the android market is the worst market for rootkit developers. They should go for the iPhone where you can ensure everyone isn't very bright and has the same hardware.

FUD, the described scenario is impossible

[DigitalPioneer]

I'd bet money that Apple had a hand in this article, it's complete and total FUD. If you install a malicious _kernel module_ on the phone (note that it is completely and entirely impossible to distribute this over the Market), and load it (note that this requires root, and stock android phones will not allow this; rooted phones require direct user intervention to allow root access), then all manner of evils may occur. That's like saying if you look up a robber, give him your keys, tell him you're going to be out of town for the next couple of weeks, and that you're not enabling the security system; you might get robbed.