Slashdot Mirror

← Back to Stories (view on slashdot.org)

Silent, Easily Made Android Rootkit Released At DefCon

Posted by Soulskill on from the it-slices-it-dices dept.

An anonymous reader writes with news that security experts from Spider Labs released a kernel level rootkit for Android devices at DefCon on Friday. "As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.' This ultimately results in full root access on the Android device." The rootkit was developed over a period of two weeks, and has been handed out to DefCon attendees on DVD.

12 of 133 comments (clear)

  1. What it doesn't say by TyFoN · · Score: 4, Interesting

    Do you have to have a rooted device already in order to install it or does it use an exploit to gain this? Will it show the usual warnings about permission requirements when installing?
    If it does use an exploit, it would be interesting to use this for regular rooting of the devices.

    1. Re:What it doesn't say by AnEducatedNegro · · Score: 4, Insightful

      Ok as an android developer, you can't break out of the VM. period. that's the whole point of it. this exploit they are talking about is a kernel driver which you would include in a custom rom that you download from, say, sdx-developers (shoutout!). Now once you have a kernel rootkit, well you know the hell that can cause. But let's face it folks, mobile computing is here to stay. This is no different than having a rootkit on your windows box and tethering it through your phone. All the phone company sees are packets. It's also time to realize that our phones are full fledged computers. You gotta protect them.

    2. Re:What it doesn't say by Anonymous Coward · · Score: 3, Insightful

      This is no different than having a rootkit on your windows box and tethering it through your phone. All the phone company sees are packets. It's also time to realize that our phones are full fledged computers. You gotta protect them.

      Eh, oops... You just lost 99% of the general audience.

      The phone that will win the market is the phone made where the hardware/software/service providers are willing to guarantee to you to make consistent and continued effort to protect our phone from malware and problems, versus just declare it a "computer" and let YOU do it.

    3. Re:What it doesn't say by Anonymous Coward · · Score: 4, Informative

      The article is a troll piece hoping for clicks for ads. Here's the bug in question

  2. Re:Oh how clever... by sco08y · · Score: 3, Funny

    I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags.

    Already patched; the handbags have been upgraded to include a pink-enameled snub .38.

  3. I posted this story but the editors cut out... by Anonymous Coward · · Score: 5, Interesting

    ... an important question.

    (The spider labs people claim) they did this to prompt Google to issue a fix. However, since the carriers seem to be very slow in updating the Android OS for their phones (a substantial number, perhaps a majority have never received an update), WHEN CAN WE EXPECT A FIX to get to the millions of phones out there? Compare this to the Apple ecosystem which received an update for their (admittedly widely publicized) Antennagate issue within weeks (whether or not it actually fixed anything is another question). In general Apple devices are (forcibly?) updated much more quickly. Perhaps this is because of his holinesses... I mean Steve Jobs powers of persuasion. ;)

    Of course as an A/C I can't prove it but if you look at the submission, you'll see that's what I said. I no longer login because I feel that while attacking a company's products is fair game (specifically Apple), having stories singling out their users as "selfish" and unkind is not "news for nerds stuff that matters". Am I an Apple fanboi? Let's just say I've used NIX for decades (yes I'm old) and I'm not talking OS X.

  4. Two things ... by GNUALMAFUERTE · · Score: 4, Interesting

    1st:

    Not news. Anything with a processor in it can run software. That software can do a number of things, and, considering that the processor is turing complete, it can actually do anything. Including allowing remote stealth access. That is NOT news and is NOT a vulnerability or anything to get excited about. Show me that you found a buffer overflow in Android's TCP stack that allows you to run arbitrary code on the device remotely. Of course you can put a rootkit in there after gaining access, you could run tetris for all I care. If you need unlimited rw access to the software to setup your malware, that is not fucking news.

    2nd:

    FTFA:

    "Attendees pay $140 in cash to attend and are not required to provide their names to attend the conference. Law enforcement posts undercover agents in the audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
    (Reporting by Jim Finkle; additional reporting by Alexei Oreskovic in San Francisco; editing by Andre Grenon)

    Wow. Just wow. Attentive Attendees attend to the conference. No shit. Andre Grenon could be a /. editor.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
  5. Re:Oh how clever... by erroneus · · Score: 3, Informative

    I think you and many others on your side of the fence are missing something important. You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't. You probably realize that they are too weak even to be considered a lock at all.

    For some im/morality is enough of a deterrent to prevent them from doing bad things. For others, fear of punishment under the law might be enough. But without a doubt, it's not enough for everyone. Some of those people will go to great and surprising lengths to get what they want. And there are most certainly weaknesses and vulnerabilities that are not shared with the general public. And without these larger events that literally celebrate sneaky, underhanded tricks, the "secrets" shared there would also remain as dark, underground secrets that are known by a few.

    Let's put it another way. These events that you seem to believe shouldn't exist serve as a spotlight not only to humiliate the vendors and producers of bad locks, but also sheds light on otherwise dark and unknown vulnerabilities giving the public an opportunity for awareness they wouldn't otherwise have and for them not to become victims of these weaknesses. These celebrations help to reduce the number of secret vulnerabilities by making them less secret.

    Do you really think it would be better if people got owned and never find out why or how?

    Some of these security researchers are the Louis Pasteurs of the day. Before Pasteur, people believed in "spontaneous generation." Currently, many people still believe their computers and other devices are simply magic.

  6. Re:Oh how clever... by Nerdfest · · Score: 3, Funny

    computers and other devices are simply magic.

    Why wouldn't they; some of them are even advertised that way.

  7. Re:Cool by MrHanky · · Score: 3, Informative

    You don't need to flash your phone to root it. (How do you flash your phone without rooting it?) Here's how I did mine.

  8. Re:Reverse TCP? by OopsIDied · · Score: 3, Informative

    It means that the rootkit can establish a connection from the victim to the attacker and receive orders from him/her. Since it's TCP i'm guessing it can also connect to IRC and other services that use TCP rather than UDP or more obscure protocols.

  9. At talk right now ... NON-ISSUE! by Jahava · · Score: 5, Informative

    So yet more developers want to make a make for themselves by elevating a non-issue. I am currently attending their talk, and must admit that I am disappointed.

    The first half of the presentation is them chatting about.how rooting a phone is desirable due to its intimate association with the user.No shit! Everybody knows this.

    So let's get to the interesting part: There is no new attack vector. No propagation from Dalvik VM to kernel. No new technique. They wrote a Linux rootkit, like anyone can do. It is a kernel module. Anyone can make one of those. It hooks the kernel in various places to hide itself from various process / module listings. How innovative? Please.

    The call this an exploit ... nothing is exploited. They willingly participate in the installation at the root level. Their conclusion seems to be that someone with root has access to everything on a system. Shocking, eh?

    The only funny part is that this took them 2 weeks to create. How terribly disappointing.