Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Rootkit Is Just a Phone Call Away

Posted by samzenpus on from the dial-M-for-malware dept.

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

19 of 190 comments (clear)

  1. Anti Virus? by kobaz · · Score: 3, Insightful

    Is there going to be a huge market for antivirus software for cell phones within the next few years?

    --

    The goal of computer science is to build something that will last at least until we've finished building it.
    1. Re:Anti Virus? by v1 · · Score: 4, Insightful

      Is there going to be a huge market for antivirus software for cell phones within the next few years?

      For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

      Protecting your users from bad people isn't really very difficult. (firewall) Protecting them from themselves, that's a trick. (AV software)

      I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years.

      --
      I work for the Department of Redundancy Department.
    2. Re:Anti Virus? by Anonymous Coward · · Score: 4, Funny

      YM:

      Apple's way of checking if an app is valid:

      1: Does the app use competing products? Yes, denied.
      2: Is the app yet another flashlight or fart app? Approved.
      3: Does the app mention Google at all? It's outta here.
      4: Does the app do Web browsing? Gone.
      5: If it passes all of the previous 4, roll a d6. 1-4, approved, 4-6, denied for some random reason even though other apps got approved with the same issues.

    3. Re:Anti Virus? by MrHanky · · Score: 4, Insightful

      How exactly is OS X an exception? If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

    4. Re:Anti Virus? by dougisfunny · · Score: 3, Informative

      Which isn't a real browser anyway.

      --
      This is not the funny you're looking for.
  2. just like installing a trojan on your computer! by Anonymous Coward · · Score: 5, Interesting

    ...which could let the hacker get access.

    I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

    And the ability to "listen" for a call is called a BroadcastReceiver. It's nothing special or hackish. Think a trigger ruleset for Android like you have for your mail client.

    Good god.

    1. Re:just like installing a trojan on your computer! by AndroidCat · · Score: 3, Interesting

      (If they can rootkit my Milestone down past the locked loader, I want to know how! [Yeah, of course I got an Android phone, it was .. destiny.])

      Odds are there are far more stupid "smartphone" users than PC/Mac ones.

      Want to tap virgin pools of stupidity? There's an app for it!

      --
      One line blog. I hear that they're called Twitters now.
    2. Re:just like installing a trojan on your computer! by mlts · · Score: 4, Informative

      Even if a user gives permissions, they may get their account and messages compromises, but unless there is an exploit the malware uses that isn't known by the modding/rooting community, there is NO WAY that something installed as an APK in a user account on a phone is going to be able to get root access to drop in a kernel module. Even if it did, phones like the Motorola Milestone have signed Linux kernels and are not built with the ability to load modules, so all it would do is nothing or cause the phone to bootloop.

      Don't forget, that a lot of kernels on Android phones are built monolithic and not allowing kernel extensions. A custom kernel that is explicitly built to allow .ko files on a G1 is likely what is needed for this exploit.

      I can see three ways that this kernel rootkit (which is nothing new -- there have been Linux kernel modules for rootkits since the late 1990s) can get on an Android device, and all three require a rooted phone:

      1: The app masquerades as a root utility. There are some utilities which are very useful for rooted phones. Droidwall, Autostarts, Wireless Tether, Wired Tether, root explorer, Titanium Backup, SQLite Editor, and a terminal emulator are must have utilities, because they add a lot of useful functionality. I can see a utility masquerading as something useful for rooted phones, getting installed, then going to town on the phone, replacing BusyBox with a utility that hides the rootkit, opening up a command port, and so on.

      2: Some malware is put on a custom ROM. This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

      3: An app gets access to the SD card, manages to alter nandroid backups on the card and/or add an update.zip file which is signed, and then runs an update. This way, the malware package would be sucked in implicitly.

      So, for the average user with Android, a rootkit isn't going to happen unless it uses an exploit, and these days, RAMDLD exploits and such are rare for phones.

    3. Re:just like installing a trojan on your computer! by khchung · · Score: 4, Insightful

      I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

      And that's exactly why you and many /.ers cannot see the value proposition of the iPhone. For you, the Andriod phone is just a
      smaller PC, a general purpose computer, so if a user don't know enough not to install trojans, that's the users problem.

      But to the users, the phone is an appliance, that is used daily and contain lots of private information. The last thing I want is for it to crash or got trojan leaking my data. If the cost of that is I have to subject to Apple's arbitrary rules, cannot run flash, may miss out a few "cool" apps, and may not use the hardware to the fullest possibility, then so be it. I would still be using a 2G dumb phone if none of the phones in the market can give me that value.

      Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

      As a user, I don't care if I am not using the hardware to the fullest possibility, what I care is what kind of value proposition the product is giving me.

      --
      Oliver.
    4. Re:just like installing a trojan on your computer! by Pharmboy · · Score: 3, Insightful

      Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

      But you are a different kind of user, just as iPhone customers are different than Android customers. Some of us WANT to tweak with the phone/system a bit and willing to pay the price, ie: higher likelyhood of issues and higher maintenance. This is the same reason I prefer PC games over console games.

      You don't have to be an uber hacker, or even a programmer, to appreciate the ability to tweak things. For you, the phone (or gaming console) is an "appliance". To me, my phone and computers are "tools", which can be sharpened, changed, upgraded, and sometimes broken. It is just a difference in expectations. I"m picking up my first Android in a week. The main reason I am getting one is to be able to ssh into my Linux servers and manage them from anywhere, and I mean anywhere. That doesn't sound like something you would do.

      --
      Tequila: It's not just for breakfast anymore!
    5. Re:just like installing a trojan on your computer! by khchung · · Score: 4, Insightful

      You missed the point. General users don't care about what advance users cannot do. If you want a phone that you can install whatever you want, don't buy the iPhone.

      Secondly, whether by genius, pure luck, reality distortion field, crazy app store policy or whatever, Apple has successfully created the iPhone as a platform that can consistently delivery the intended appliance-like user experience.

      In contrast, it doesn't matter that you can write 2 papers or win every Slashdot argument that the Android is, in theory, just secure as the iPhone. When users cannot buy from the app store because his country is not supported, when users can only install pirated app because of that (and thus opening the opportunity for trojans), and when apps his friend told him about is invsible because of different OS version, it erodes the user's experience.

      Added on that, you got developers who thinks a user installing a trojan is his own fault, implying the user is responsible for learning to use the phone as a general purpose PC, then the phone failed to behave as an appliance, it lost its value for users look for an appliance.

      --
      Oliver.
  3. Wow this article makes it so scary by Technomancer · · Score: 4, Interesting

    From TFA: "The rootkit could also track a victim's location or even reroute his browser to a malicious Web site."
    Really? And then what? The malicious website will install another worse rootkit?
    It has rootkit! The phone is compromised, all the information you have on it is potentially leaked and the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator. The only cure is to either flash it with fresh OS or burn it with fire.

  4. It will be. by maillemaker · · Score: 3, Interesting

    >Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as >they increase in popularity? I'm not being facetious, I come here because I don't know these answers. If it's not, it will be. Clearly there is big business to be made in compromising traditional computer systems today. In the early days (and I've been around computers since the TI99/4A) it seems that "viruses" were primarily made as a prank. But today the biggest threats seem to be botnets which are used for profit to either propagate spam and execute denial of service attacks through distributed means, or simply to skim valuable user account data off of the compromised systems. This is all far beyond the amateur pranks of old. It is now done for financial gain. Cell phones have rapidly become computers. All the benefits of compromising traditional computers will likely follow.

    --
    A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
  5. Talk about misleading headline! by AC-x · · Score: 5, Insightful

    The headline makes it sound like you can get infected with a root kit from a phone call which is nothing like what's being said, what a load of sensationalist bollocks.

    Why would you even want to activate a root kit via a phone call? The phone's got a permanent internet connection so it may as well just poll a server for commands.

  6. Pure and utter bullshit by Anonymous Coward · · Score: 4, Insightful

    You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell

    And then he can make the phone emit lasers that will kill your dog and drive your car into a wall!

    *sigh*

    The thing about a rootkit is that you need root before it works.

    Installing an app from Market (or anywhere else) won't do it.

    So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.

    While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)

    This is a total non-issue.

  7. sooo. yeah? by Eil · · Score: 4, Insightful

    I'm not trying to belittle these guys' security research or anything, but why is it surprising that you can whip up a rootkit which runs on a phone? Anything with a CPU can have backdoors made for it. The hard part has always been getting the backdoors onto arbitrary devices without the owner knowing about it.

    Engineer a computer which can be proven secure and then I'll be impressed.

  8. Code can run on processors if installed properly. by GNUALMAFUERTE · · Score: 5, Insightful

    Film at 11.

    This guys installed a fucking KERNEL MODULE into that system. Well, they can make it receive calls, or they can make it play fucking tetris. It's code. You can write whatever you want, and execute it however you want, if you have access!

    Being able to run code in a given processor is NOT AN EXPLOIT, it's just basic functionality. If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?

    It would be a vuln if they had the ability to install that fucking rootkit without physical access to the phone. That's the hard part.

    Article is FUD and submiter is trolling. 0/10

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
  9. So what ... required physical access by smart_ass · · Score: 3, Insightful

    If I get physical access to your phone I can install something that can steal all your contact info and CC #s ...
    How about I steal the phone, steal the info and then reset the phone and use it myself ... no Rootkit required?

    What the hell ... how is this news?

    Slow day on /.

    --
    Ouch ... did I just say that.
  10. Wrong title. by mallyone · · Score: 3, Funny

    Should read: Android rootkit is just a fud call away.