Android Rootkit Is Just a Phone Call Away

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

Anti Virus?

[kobaz]

Is there going to be a huge market for antivirus software for cell phones within the next few years?

Re:Anti Virus?

[v1]

Is there going to be a huge market for antivirus software for cell phones within the next few years?

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

Protecting your users from bad people isn't really very difficult. (firewall) Protecting them from themselves, that's a trick. (AV software)

I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years.

Re:Anti Virus?

[Totenglocke]

I'd rather just see anti-virus software on pc's incorporate definitions for mobile phone viruses / rookits as well - that way you can just run a virus scan once a week with your phone plugged into your computer and not have to worry about killing the battery life on your phone.

Re:Anti Virus?

[FatdogHaiku]

wait, you mean i have to trust the code i execute?

Only on devices you want to reliably and securely use...
it's kind of like that rule about only flossing the teeth you want to keep.

Re:Anti Virus?

[Skuld-Chan]

Haven't read the article yet - so I wonder if this affects stock android phones. The default setting for android is not to install anything unsigned.

Re:Anti Virus?

YM:

Apple's way of checking if an app is valid:

1: Does the app use competing products? Yes, denied.
2: Is the app yet another flashlight or fart app? Approved.
3: Does the app mention Google at all? It's outta here.
4: Does the app do Web browsing? Gone.
5: If it passes all of the previous 4, roll a d6. 1-4, approved, 4-6, denied for some random reason even though other apps got approved with the same issues.

Re:Anti Virus?

[mlts]

I'd like to see an antivirus scanner put into the fastboot or recovery image. This way, if a phone is rootkitted, someone can boot to the recovery, and run Tripwire like software which would catch unknown kernel modules, and for known malware signatures, a signature based AV would deal with those.

However, lets be realistic: AV software is the absolutely last bastion of defense. Before malware can trip the AV software, the OS or application should have dealt with it by either ignoring it and forbidding it to run, or actively killing what it was doing.

Re:Anti Virus?

[erroneus]

Don't jump to conclusions about this. A rootkit is not a virus and isn't necessarily malware at all depending on how it is applied and used.

I could describe similar behaving software as an anti-theft and tracking function. Say someone steals my shiny new android phone and I want it back. Once I have some sort of access to the phone, I can ask it to take pictures and send them back to me. I can ask it to get a GPS read and send it back to me. I can ask it to get a log of activities such as options explored and executed, phone calls, text messages, web or other internet activity, track motion and location data to show where the phone has been and when -- anything to help identify where the phone is and who took it. The door to this functionality, of course, would be triggered by a phone call from a particular source (or a particular caller ID) or a specially crafted SMS text message.

This discussion isn't about INFECTING a phone with a phone call or SMS text message. The planting of the rootkit most often comes from the execution of untrustworthy code, for example, a Sony-BMG music CD. The rootkit would be inserted by a game or app that the user himself decided to execute. While there is always the possibility of a web drive-by installation the way we hear about on Windows computers, I think it is more likely that the user would have to be mislead or fooled into running the code to install the rootkit.

Such techniques would be used by both "bad guys" (criminals) and "other bad guys" (law enforcement).

Re:Anti Virus?

[MrHanky]

How exactly is OS X an exception? If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

Re:Anti Virus?

[HappyClown]

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

By that logic, if I leave my front door open year round yet don't get burgled, my home must be burglar proof!

Re:Anti Virus?

[delinear]

Unless he wipes the OS too, there's already an app that, when your sim card is replaced, will send you a text message or email with the GPS location of the phone. If you have it send a text message, you also get the number of the new sim, so you can go directly to the police with the (reasonably) exact location of the phone and the contact details of the registered purchaser of the sim.

Re:Anti Virus?

[delinear]

It's to be expected, we all know what a massive issue viruses are on Linux, so we shouldn't really expect a Linux-based phone to be any different. Oh, wait...

Re:Anti Virus?

"Signed" in Android terms doesn't actually mean much. Developers self-sign their apps. The point? I really don't know. What you're talking about is the setting that allows users to install apps from sources other than the Market.

Re:Anti Virus?

Who's stopping you from buying a plain cell phone? Spend $50, get an unlocked quadband GSM phone that works anywhere in the world, and the battery lasts nearly two weeks. I had one from Samsung for a while, it worked great.

The rest of us want some kind of highly portable computer that also happens to make phone calls. And we pay quite a bit more for that.

Re:Anti Virus?

[dougisfunny]

Which isn't a real browser anyway.

Hacking mobiles

[lobf]

Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as they increase in popularity? I'm not being facetious, I come here because I don't know these answers.

Re:Hacking mobiles

[Seth024]

That's certainly possible.

The big problem I believe is that there are so many different operating systems (Symbian, iPhone OS, Android...) that all have a part of the market. Being able to write a virus/find a backdoor to control 90% of PCs is very profitable. Just like there are not many people writing virusses for Mac OS or Linux, there are not many viruses for mobile phones (yet).

Re:Hacking mobiles

[delinear]

I would have thought, if it was easy, it would certainly already be happening. The smartphone market might be small compared to a desktop OS like Windows, but the possibility for profit is much more immediate, since you have a device which can connect to premium services without any further need to obtain secure passwords or banking details, etc. from the owner. You just set up a premium number in a foreign locale, have the software wait until the phone is idling (on charge maybe, and not been touched for a couple of hours, so you can assume the owner is probably asleep) then have it dial into your number and rake in the money. Much simpler than monetising a botnet, to my mind. And while the proliferation of smartphones amongst the masses is a recent thing, there have been smartphones in widespread use, in business particularly, for many years - including Windows mobile (if I had to put my trust anywhere, it would be in a *nix derived OS).

That's not to say it won't happen, but I'd go out on a limb and say the only attacks we're likely to see in the near future are of the social engineered, trick/entice the user into installing an app with a trojan piggybacking. While people are dumb enough to fall for such attacks there'll be little benefit in writing real viruses. One thing I like about the Android OS is that, when I install a piece of software, it will flag up all the phone processes that the app needs access to (so I can be justifiably suspicious if the new screensaver I'm installing wants access to the phone's dialling ability).

lol

[larry+bagina]

Microsoft Talks Back To Google's Security Claims -- coincidence?

just like installing a trojan on your computer!

...which could let the hacker get access.

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And the ability to "listen" for a call is called a BroadcastReceiver. It's nothing special or hackish. Think a trigger ruleset for Android like you have for your mail client.

Good god.

Re:just like installing a trojan on your computer!

[AndroidCat]

(If they can rootkit my Milestone down past the locked loader, I want to know how! [Yeah, of course I got an Android phone, it was .. destiny.])

Odds are there are far more stupid "smartphone" users than PC/Mac ones.

Want to tap virgin pools of stupidity? There's an app for it!

Re:just like installing a trojan on your computer!

[mlts]

Even if a user gives permissions, they may get their account and messages compromises, but unless there is an exploit the malware uses that isn't known by the modding/rooting community, there is NO WAY that something installed as an APK in a user account on a phone is going to be able to get root access to drop in a kernel module. Even if it did, phones like the Motorola Milestone have signed Linux kernels and are not built with the ability to load modules, so all it would do is nothing or cause the phone to bootloop.

Don't forget, that a lot of kernels on Android phones are built monolithic and not allowing kernel extensions. A custom kernel that is explicitly built to allow .ko files on a G1 is likely what is needed for this exploit.

I can see three ways that this kernel rootkit (which is nothing new -- there have been Linux kernel modules for rootkits since the late 1990s) can get on an Android device, and all three require a rooted phone:

1: The app masquerades as a root utility. There are some utilities which are very useful for rooted phones. Droidwall, Autostarts, Wireless Tether, Wired Tether, root explorer, Titanium Backup, SQLite Editor, and a terminal emulator are must have utilities, because they add a lot of useful functionality. I can see a utility masquerading as something useful for rooted phones, getting installed, then going to town on the phone, replacing BusyBox with a utility that hides the rootkit, opening up a command port, and so on.

2: Some malware is put on a custom ROM. This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

3: An app gets access to the SD card, manages to alter nandroid backups on the card and/or add an update.zip file which is signed, and then runs an update. This way, the malware package would be sucked in implicitly.

So, for the average user with Android, a rootkit isn't going to happen unless it uses an exploit, and these days, RAMDLD exploits and such are rare for phones.

Re:just like installing a trojan on your computer!

[RenderSeven]

What can we do to defend against this?

Generally, dont lend your phone to security researchers at hacking conferences. Writing a rootkit makes good headlines but the article says they freely admit they dont have a clue how to install it with a rogue application.

Re:just like installing a trojan on your computer!

[khchung]

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And that's exactly why you and many /.ers cannot see the value proposition of the iPhone. For you, the Andriod phone is just a
smaller PC, a general purpose computer, so if a user don't know enough not to install trojans, that's the users problem.

But to the users, the phone is an appliance, that is used daily and contain lots of private information. The last thing I want is for it to crash or got trojan leaking my data. If the cost of that is I have to subject to Apple's arbitrary rules, cannot run flash, may miss out a few "cool" apps, and may not use the hardware to the fullest possibility, then so be it. I would still be using a 2G dumb phone if none of the phones in the market can give me that value.

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

As a user, I don't care if I am not using the hardware to the fullest possibility, what I care is what kind of value proposition the product is giving me.

Re:just like installing a trojan on your computer!

[delinear]

What evidence do you have that it's any more or less difficult to execute this kind of attack against the Android over the iPhone? Both have locked down market places where regular users go for all of their app needs, the only difference is that more advanced users can install code from outside the market place on the Android. The kind of users who go to these lengths tend to have a bit more technical savvy, and would likely be the type of people who would jailbreak their iPhone anyway, exposing it to the same risk. What many /.ers object to is not that there is a walled app market, in fact the majority can probably agree that for average users this is a good thing, but that there's no means for the more advanced user to step outside that market without invalidating their warranty. Android shows that it's entirely possible to incorporate both approaches, but if you can demonstrate it's more vulnerable to attacks in the wild because of this, I'm certainly listening.

Re:just like installing a trojan on your computer!

[Pharmboy]

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

But you are a different kind of user, just as iPhone customers are different than Android customers. Some of us WANT to tweak with the phone/system a bit and willing to pay the price, ie: higher likelyhood of issues and higher maintenance. This is the same reason I prefer PC games over console games.

You don't have to be an uber hacker, or even a programmer, to appreciate the ability to tweak things. For you, the phone (or gaming console) is an "appliance". To me, my phone and computers are "tools", which can be sharpened, changed, upgraded, and sometimes broken. It is just a difference in expectations. I"m picking up my first Android in a week. The main reason I am getting one is to be able to ssh into my Linux servers and manage them from anywhere, and I mean anywhere. That doesn't sound like something you would do.

Re:just like installing a trojan on your computer!

[khchung]

You missed the point. General users don't care about what advance users cannot do. If you want a phone that you can install whatever you want, don't buy the iPhone.

Secondly, whether by genius, pure luck, reality distortion field, crazy app store policy or whatever, Apple has successfully created the iPhone as a platform that can consistently delivery the intended appliance-like user experience.

In contrast, it doesn't matter that you can write 2 papers or win every Slashdot argument that the Android is, in theory, just secure as the iPhone. When users cannot buy from the app store because his country is not supported, when users can only install pirated app because of that (and thus opening the opportunity for trojans), and when apps his friend told him about is invsible because of different OS version, it erodes the user's experience.

Added on that, you got developers who thinks a user installing a trojan is his own fault, implying the user is responsible for learning to use the phone as a general purpose PC, then the phone failed to behave as an appliance, it lost its value for users look for an appliance.

Re:just like installing a trojan on your computer!

[MikeBabcock]

You know if you posted other than AC you could answer this ...

But have you seen how the permissions work on Android?

When installing this app you'd have to give it permission to do the things it does. It asks explicitly.

Wow this article makes it so scary

[Technomancer]

From TFA: "The rootkit could also track a victim's location or even reroute his browser to a malicious Web site."
Really? And then what? The malicious website will install another worse rootkit?
It has rootkit! The phone is compromised, all the information you have on it is potentially leaked and the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator. The only cure is to either flash it with fresh OS or burn it with fire.

It will be.

[maillemaker]

>Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as >they increase in popularity? I'm not being facetious, I come here because I don't know these answers. If it's not, it will be. Clearly there is big business to be made in compromising traditional computer systems today. In the early days (and I've been around computers since the TI99/4A) it seems that "viruses" were primarily made as a prank. But today the biggest threats seem to be botnets which are used for profit to either propagate spam and execute denial of service attacks through distributed means, or simply to skim valuable user account data off of the compromised systems. This is all far beyond the amateur pranks of old. It is now done for financial gain. Cell phones have rapidly become computers. All the benefits of compromising traditional computers will likely follow.

Re:It will be.

[maxwell+demon]

Not only that. Attackers could get your phone banking credentials by just recognizing when you call a phone banking number, and then recording the initial part of your phone call and sending the files to the attacker. Remember, as much as smartphones are computers, they are still phones (in principle it could be done for VoIP on traditional computers, too, but I guess few people do phone banking over VoIP). In addition, they often are GPS appliances as well, so additionally an attacker could use them to track you. It may even become a vector for ordinary computer malware: The malware gets onto the phone when synchronizing with the computer, then sends itself to another phone, and then gets onto another computer when synchronizing with that phone. It may be a way to get into computers which are otherwise firewalled well.

Talk about misleading headline!

[AC-x]

The headline makes it sound like you can get infected with a root kit from a phone call which is nothing like what's being said, what a load of sensationalist bollocks.

Why would you even want to activate a root kit via a phone call? The phone's got a permanent internet connection so it may as well just poll a server for commands.

Re:Talk about misleading headline!

[Xest]

Yep, I'm trying to figure out what exactly the point of this demonstration is.

It's like the guy in question has just figured out that you can write software that does bad things, not just good things, and so has written a piece to demonstrate this.

What can be done is irrelevant, we already know what can be done, the problem is doing it, and that needs an attack vector, ideally a remotely exploitable one for the "best" hacks, and this guy hasn't found any.

I'm not even sure it serves as an example of the future of malware, it's hardly even imaginative. I suspect future malware threats will more likely involve things like P2P networks setup by the malware itself that is used to distribute updates that provide the malware with new exploits to try infecting other machines with or that receives anti-anti-virus updates to kill off any AV software even if attempts are made to update it. In general, I suspect malware will get a whole lot more intelligent in terms of mining data on infected systems, making users believe there's nothing wrong, and in spreading itself.

The example in TFA demonstrates none of this sort of thing, just stuff that's long already been done. Hell, even my examples are hardly that far fetched, I'm sure some malware out there already does a lot of this sort of thing right now.

Pure and utter bullshit

You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell

And then he can make the phone emit lasers that will kill your dog and drive your car into a wall!

*sigh*

The thing about a rootkit is that you need root before it works.

Installing an app from Market (or anywhere else) won't do it.

So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.

While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)

This is a total non-issue.

sooo. yeah?

[Eil]

I'm not trying to belittle these guys' security research or anything, but why is it surprising that you can whip up a rootkit which runs on a phone? Anything with a CPU can have backdoors made for it. The hard part has always been getting the backdoors onto arbitrary devices without the owner knowing about it.

Engineer a computer which can be proven secure and then I'll be impressed.

Code can run on processors if installed properly.

[GNUALMAFUERTE]

Film at 11.

This guys installed a fucking KERNEL MODULE into that system. Well, they can make it receive calls, or they can make it play fucking tetris. It's code. You can write whatever you want, and execute it however you want, if you have access!

Being able to run code in a given processor is NOT AN EXPLOIT, it's just basic functionality. If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?

It would be a vuln if they had the ability to install that fucking rootkit without physical access to the phone. That's the hard part.

Article is FUD and submiter is trolling. 0/10

Re:Code can run on processors if installed properl

[GNUALMAFUERTE]

Sorry to reply to myself, but this ridiculous "research" comes out a day after Google announces it's ditching windows because it's insecure. Anyone smells microsoft behind this "independent research"?

Re:Don't worry, be happy!

It's not a bug. They say "once it's installed." This isn't a rootkit, it's just an app that responds to incoming calls (anyone can do this now). There would still need to be an exploit to get the app installed in the first place. The title is certainly a little misleading.

So what ... required physical access

[smart_ass]

If I get physical access to your phone I can install something that can steal all your contact info and CC #s ...
How about I steal the phone, steal the info and then reset the phone and use it myself ... no Rootkit required?

What the hell ... how is this news?

Slow day on /.

Wrong title.

[mallyone]

Should read: Android rootkit is just a fud call away.

Re:So...Your Soon-To-Be Wife Loads up Your Android

[tmach]

If my wife could create a rootkit, I wouldn't be divorcing her!

Physical Access

[slater86]

Once it's installed on the Android phone

One would assume that if you had physical access to most equipment, its usually game over anyway. No more vulnerable than a netbook really(both being more portable than desktops). Just more people have phones.

Re:Typical Slashdot ...

[delinear]

There is no magic exploit. If I got physical access to your Android, I could root it then install a rootkit. If I got access to your iPhone, I could jailbreak it and install a rootkit. If I got access to either of your phones, why would I bother when I could just sell them for a guaranteed return? And if I have no access to your phone, how do I root it and install a rootkit? This isn't Apple vs Google, it's AV vendor FUD vs. common sense. By muddying the water you're working against common sense.