Android Rootkit Is Just a Phone Call Away

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

Hacking mobiles

[lobf]

Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as they increase in popularity? I'm not being facetious, I come here because I don't know these answers.

Re:Hacking mobiles

[Seth024]

That's certainly possible.

The big problem I believe is that there are so many different operating systems (Symbian, iPhone OS, Android...) that all have a part of the market. Being able to write a virus/find a backdoor to control 90% of PCs is very profitable. Just like there are not many people writing virusses for Mac OS or Linux, there are not many viruses for mobile phones (yet).

Re:Hacking mobiles

[delinear]

I would have thought, if it was easy, it would certainly already be happening. The smartphone market might be small compared to a desktop OS like Windows, but the possibility for profit is much more immediate, since you have a device which can connect to premium services without any further need to obtain secure passwords or banking details, etc. from the owner. You just set up a premium number in a foreign locale, have the software wait until the phone is idling (on charge maybe, and not been touched for a couple of hours, so you can assume the owner is probably asleep) then have it dial into your number and rake in the money. Much simpler than monetising a botnet, to my mind. And while the proliferation of smartphones amongst the masses is a recent thing, there have been smartphones in widespread use, in business particularly, for many years - including Windows mobile (if I had to put my trust anywhere, it would be in a *nix derived OS).

That's not to say it won't happen, but I'd go out on a limb and say the only attacks we're likely to see in the near future are of the social engineered, trick/entice the user into installing an app with a trojan piggybacking. While people are dumb enough to fall for such attacks there'll be little benefit in writing real viruses. One thing I like about the Android OS is that, when I install a piece of software, it will flag up all the phone processes that the app needs access to (so I can be justifiably suspicious if the new screensaver I'm installing wants access to the phone's dialling ability).

lol

[larry+bagina]

Microsoft Talks Back To Google's Security Claims -- coincidence?

just like installing a trojan on your computer!

...which could let the hacker get access.

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And the ability to "listen" for a call is called a BroadcastReceiver. It's nothing special or hackish. Think a trigger ruleset for Android like you have for your mail client.

Good god.

Re:just like installing a trojan on your computer!

[AndroidCat]

(If they can rootkit my Milestone down past the locked loader, I want to know how! [Yeah, of course I got an Android phone, it was .. destiny.])

Odds are there are far more stupid "smartphone" users than PC/Mac ones.

Want to tap virgin pools of stupidity? There's an app for it!

Re:just like installing a trojan on your computer!

[RenderSeven]

What can we do to defend against this?

Generally, dont lend your phone to security researchers at hacking conferences. Writing a rootkit makes good headlines but the article says they freely admit they dont have a clue how to install it with a rogue application.

Wow this article makes it so scary

[Technomancer]

From TFA: "The rootkit could also track a victim's location or even reroute his browser to a malicious Web site."
Really? And then what? The malicious website will install another worse rootkit?
It has rootkit! The phone is compromised, all the information you have on it is potentially leaked and the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator. The only cure is to either flash it with fresh OS or burn it with fire.

It will be.

[maillemaker]

>Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as >they increase in popularity? I'm not being facetious, I come here because I don't know these answers. If it's not, it will be. Clearly there is big business to be made in compromising traditional computer systems today. In the early days (and I've been around computers since the TI99/4A) it seems that "viruses" were primarily made as a prank. But today the biggest threats seem to be botnets which are used for profit to either propagate spam and execute denial of service attacks through distributed means, or simply to skim valuable user account data off of the compromised systems. This is all far beyond the amateur pranks of old. It is now done for financial gain. Cell phones have rapidly become computers. All the benefits of compromising traditional computers will likely follow.

Re:It will be.

[maxwell+demon]

Not only that. Attackers could get your phone banking credentials by just recognizing when you call a phone banking number, and then recording the initial part of your phone call and sending the files to the attacker. Remember, as much as smartphones are computers, they are still phones (in principle it could be done for VoIP on traditional computers, too, but I guess few people do phone banking over VoIP). In addition, they often are GPS appliances as well, so additionally an attacker could use them to track you. It may even become a vector for ordinary computer malware: The malware gets onto the phone when synchronizing with the computer, then sends itself to another phone, and then gets onto another computer when synchronizing with that phone. It may be a way to get into computers which are otherwise firewalled well.

Re:Anti Virus?

Actually, Apple's way of doing it is to have complex analysis, bounds checking and simulation tools they run on your code before the approve. I'm not saying it's foolproof. It's just one case where not being open has its advantages

Re:Code can run on processors if installed properl

[GNUALMAFUERTE]

Sorry to reply to myself, but this ridiculous "research" comes out a day after Google announces it's ditching windows because it's insecure. Anyone smells microsoft behind this "independent research"?

Re:Anti Virus?

[mlts]

I'd like to see an antivirus scanner put into the fastboot or recovery image. This way, if a phone is rootkitted, someone can boot to the recovery, and run Tripwire like software which would catch unknown kernel modules, and for known malware signatures, a signature based AV would deal with those.

However, lets be realistic: AV software is the absolutely last bastion of defense. Before malware can trip the AV software, the OS or application should have dealt with it by either ignoring it and forbidding it to run, or actively killing what it was doing.

Re:Anti Virus?

[delinear]

It's to be expected, we all know what a massive issue viruses are on Linux, so we shouldn't really expect a Linux-based phone to be any different. Oh, wait...

Re:Anti Virus?

Who's stopping you from buying a plain cell phone? Spend $50, get an unlocked quadband GSM phone that works anywhere in the world, and the battery lasts nearly two weeks. I had one from Samsung for a while, it worked great.

The rest of us want some kind of highly portable computer that also happens to make phone calls. And we pay quite a bit more for that.