Prototype Clickjacking Rootkit Developed For Android

ShipLives writes "Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit. As part of an effort to identify potential weaknesses in smartphone platforms, the team was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel."

And worse

[Billly+Gates]

All the regular apps including AV software are crippled in a garden so an infection like this can not be cleaned up easily.

I have a phone that is probably infected as my Galaxy 1 is slow and its browser crashes once a day. There is no way to fix it either as AV software just looks for bad apps and does not check system files or anything else.

Re:And worse

[Jello+B.]

It's not like malware exists just to make things run slower and crash. And most reasons software does that isn't because of malware.

Re:And worse

my Galaxy 1 is slow and its browser crashes once a day.

Sounds about normal to me. Mine has been the same way for a year...

Re:And worse

[bmo]

>And most reasons software does that isn't because of malware.

The most significant symptom of malware infection to Joe User is "my computer is slow." Basically because once you have *one* malware infection, others soon follow, because you haven't kept up with updates, install software from random untrusted sites, or are the victim of a leveraged vulnerability or all three. All these bits of malware fight over the same resources and kill the device's usability.

I have personally seen machines with hundreds of infections. This is typical. The user will muddle along until a certain frustration level is met or the computer simply refuses to finish booting, because the virus load is too much for the poor machine to handle.

"My Computer is Slow" is likely a sign that your system has been compromised for quite a while and there is no malware removal tool that can fix it - a wipe and reinstall of the OS is in order.

--
BMO

Re:And worse

[Xenx]

It's not security model difference between iOS and Android, it's a design philosophy difference. Android isn't designed to keep you in the walled garden. As such, iOS will always be more secure. Giving users a choice invariably leads to some of them making the wrong choice. That isn't a fault of Android, it's a fault in the rest of society.

Re:And worse

[bmo]

>There has to be a balance between free/open and secure.
>implying that closed source is more secure
>implying

No.

>Apple almost nailed it right on

No, no they didn't. They are anti-FOSS. The only thing they got right was taking the software repository idea from the FOSS world and calling it a store. Where they failed is that they don't allow other stores/repositories in spite of the fact that the FOSS world has been living with multiple trusted repositories for many, many years now.

--
BMO

Re:And worse

[imamac]

[quote]It's not security model difference between iOS and Android[/quote] Seems to me that's exactly what it is. Part of it is design philosophy, too, of course.

Re:And worse

[imamac]

I wasn't talking about source code.

Re:And worse

[djl4570]

Opera for Tablets works a lot better than the default browser on my Galaxy Tab 10.1. Now I need to learn how to diagnose malware.

Re:And worse

[bmo]

>That isn't a fault of Android, it's a fault in the rest of society.

This.

The rest of society wants its purple gorillas in spite of the fact that it's badware.

--
BMO

Re:And worse

[MobileTatsu-NJG]

Where they failed is that they don't allow other stores/repositories in spite of the fact that the FOSS world has been living with multiple trusted repositories for many, many years now.

Heh. It's just Android that hasn't.

Re:And worse

"There has to be a balance between free/open and secure."

The balance I want is 100% free and open. Without being totally in control of my computer, I CANNOT know that it is secure.

And sorry, but I have a better track record than walled gardens. iOS's is pwned right out of the box - by Apple. It's unacceptable for anyone to pwn my systems, doesn't matter if it's Apple or a Russian crime syndicate. The fact remains that iOS is untrustworthy; since it's controlled by someone else, it follows that it cannot be trusted by ME.

Re:And worse

[recoiledsnake]

I love it how this fact only comes up when it's Slashdot's darling OS, but the same fact is projected as a failure of Microsoft when it comes to Windows malware in countless +5 insightful comments over the years. Hypocrisy to the core.

Re:And worse

There has to be a balance between free/open and secure. When it comes to phones, Apple almost nailed it right on. I think they could relax just a tad, but overall they got it right.

I don't know if you are trolling, but you are wrong.

The manufacturer should never have more capability to access a device than the end user. Apple utterly fails at that. Note that the video here is a rootkit, which means iOS and every other platform is just as vulnerable as Android.

Re:And worse

[Xenx]

Some people might feel that way, I do not. I wouldn't take all blame away from MS for some of the things about their OS. But, the blame for installing crap software lies on the user.. regardless of the OS.

Re:And worse

[Xenx]

My point is that it was a design choice to allow a freedom to install apps. It isn't a situation where you can compare security models and just say iOS is better. You can make arguments about which method is preferred, but not which is better.

Re:And worse

[Xenx]

Feature phones are still widely available, everywhere I've seen. So, either you aren't looking.. or just want to bitch about a problem that doesn't exist yet.

Re:And worse

[imamac]

Okay, I'll buy that. A lot of this debate does come down to personal choice. I have much more confidence in Apple's walled garden (which is a massive garden, btw) as opposed to the chaos that seems to plague Android.

Re:And worse

[Billly+Gates]

I got his by 3 pieces of malware over the years. None of them were installed by choice but were drivebyes.

As a result I stopped using Firefox which does not have sandboxing, I switched to a decent AV package as I was one of those users who felt I didn't need AV as I never click on things and get infected so kept old AVG etc. I only have flash on Chrome which is sandboxed by default. I keep it UPDATED as no one updated flash prior to 2011. I manually disabled Java in all my browsers as I still use Eclipse etc. Created a seperate non admin account and have secure DNS now.

The average user does not go to these extremes to protect themselves and shouldn;t. My phone is not as flexible as a real PC is to lock down and have access to control by security software. It is not the users fault that they use XP which is horrible in terms of security and use flash 9 and adobe reader 7. This is a typical home PC BTW and non IT professionals have no idea these are holes and have no reason to leave XP.

Yes not using IE 6 is common sense today and statistics show they don't. That doesn't mean Firefox which is now much bigger and has no sandboxing is better.

Phones are worse as I can not update past Android 2.2 without rooting my phone. AT&T wants me to throw it away for another $450 phone and a 2 year contract to get the security fixes instead which is outrageous. Yes this is a problem and the platform sucks for AV software to find and remove these on the phone.

Re:And worse

[bmo]

>I love it how this fact only comes up when it's Slashdot's darling OS

That the there is a problem that sits in the chair that confuses the part in the seat with the part looking at the screen has been brought up time and again with other OSes. I have actually come out and said that encryption and all the security in the world doesn't effin' matter if you can get the user to trade the key for a candy bar, which has actually happened.

You just have selective hearing, which means you are an asshole.

--
BMO

Re:And worse

[bmo]

http://www.penny-arcade.com/comic/2004/03/19/

--
BMO

Re:And worse

[ThatsMyNick]

It all makes sense, when you realize Slashdot is made of more than one person. There are people on slashdot who are not happy with malware on Windows and advocate more of a walled garden, and then there are people who believe in freedom to install malware if they wanted to. So you have more than one set of people, moderating at different points of time, carrying different opinions at different strengths. And thus you have, what you call, hypocrisy in slashdot, when all individuals are perfectly non-hypocritical.

Re:And worse

[recoiledsnake]

It has been brought up yes, but if you've missed the overwhelming support and hundreds of posts on Slashdot for the notion that Windows is not as secure as Unix based OSes, then you're blind and have selective vision, which means you're a blind asshole.

Now that we know how malware-free a popular Unix based OS is, out comes blaming the user instead of the OS.

Re:And worse

[Xenx]

There isn't as much chaos on the Android side as people like to think, but it is there. Anyone that takes the time to actually learn and understand the devices they buy, is usually fine on Android. iPhones, however, require less effort for entry level use. This isn't meant as a slight, just an observation. I would much rather support people on an iPhone than an Android because they likely don't have a clue either way and iOS is iOS... I can walk through the settings in my sleep.

Re:And worse

You seem to be suggesting that it's impossible for it to be simultaneously true that users are lax about security AND the OS is insecure. But why would there be any conflict between those two claims? It's perfectly possible that many Windows users have poor security practices and Windows itself is less secure than other OSes.

Re:And worse

[Xenx]

No OS is without fault, no program is without fault, and no user is without fault. You need to base your decisions upon what you feel you can handle with your level of competence. Use AV. Use a more secure browser. But, the biggest security hole in any system is the user. If you can't figure out that you shouldn't be installing every app you see, go with iOS. If you choose something else, accept that you open yourself to potential risk.

Does this excuse the manufacturer, or Google, from all responsibility... no. But, I do think they're doing a decent job of balancing the open nature with need for security. As for your issue with firmware updates, I don't disagree. But, Google has been working to improve that with the carriers and manufacturers.

Re:And worse

[Billly+Gates]

It all makes sense, when you realize Slashdot is made of more than one person. There are people on slashdot who are not happy with malware on Windows and advocate more of a walled garden, and then there are people who believe in freedom to install malware if they wanted to. So you have more than one set of people, moderating at different points of time, carrying different opinions at different strengths. And thus you have, what you call, hypocrisy in slashdot, when all individuals are perfectly non-hypocritical.

Yeah no kidding I was modded down to 0 because I said there is a problem with AV software not having the access in the walled garden to clean up a rootkit infection. Sigh moderators

There needs to be a balance though. Yes security is important but that does not mean banning all javascript except for the OS browser that came with it IE 10, Chrome, Safari, and no one else. Also at least with things like SecureBoot MS is nice enough to have an API for AV scanners to detect and remove rootkits.

I think AV software and alternative browsers should be installed. Walled Gardens are only effective if they block 100% of all exploits 100% of the time and protect the dumb user from themselves. Then it is hell as if one gets through the tools are all walled away from doing anything about it and detecting it. That is a bad design if you ask me.

Re:And worse

[PuZZleDucK]

Just as on a PC: The only way to guarantee an infection is gone (without hours of work) is a full OS install from scratch... Pull yourself out of the kiddy pool, root your device and flash a brand new rom that will probably run _faster_ than the original phone. You could then also run a good firewall if you wanted :]

Re:And worse

[the_B0fh]

Exactly! I know I can trust you because you write everything from the bootloader and firmware upwards! After all, Google wouldn't be doing anything to invade your privacy, like the did with iPhone.

Re:And worse

[the_B0fh]

wish I have modpoints. Don't understand why people don't understand this point.

Re:And worse

[alexgieg]

No, no they didn't. They are anti-FOSS.

Not quite. What Apple really is against is "open hardware", or, more precisely, "open OS", at least when it comes to the one (hardware and OS) they themselves sell. As for individual pieces of software, they don't care whether it's FOSS or not. On the other hand, if your FOSS license of choice happens to prevent others from uploading it to their app store, see VLC for iOS, killed, if I remember correctly, by the VLC folks themselves, what guilt do they objectively have? When an open source project selects a license that forbids end-users of closed hardware from running said project's software, that's precisely one of the "features" the project aimed for, meaning it's working as intended.

(It could be argued that the project actually intends to encourage hardware makers to not close the hardware. But that's the positive side of things, the negative being that, if the hardware maker doesn't opt to open it, end users will suffer no matter what. You can't have one without the other, the alternative being to have neither.)

Re:And worse

[Goaway]

No, no they didn't. They are anti-FOSS.

And they release so many large and widely used open source projects because... they hate it so much?

uhmm....

Thanks?

So only install from trusted sources?

And use SEandroid hardened with guardian? Anything more?

Double standards

Gee, with all the problems Android is having do you think Slashdot will stop trying to pile on Windows Phone and stop claiming that Windows gets viruses because it is a terrible OS? ...Or do you think they'll ignore anything that clashes with their preconceived notions that anything from MS sucks and that Android must be good because Google makes it and it's open source?

This is a tough one.

Re:Double standards

[Exrio]

I do think proprietary software sucks just because it's proprietary. I've never claimed it to have anything to do with security, I'm sure the Linux desktop will get malware too if it ever has it's year, just as OS X has now. Anything with a large enough (end-)user base and no totalitarian walled garden will - making security-wise perfect code is really hard and comes with tradeoffs many aren't willing to make especially in consumer software. I still wouldn't touch a totalitarian walled garden OS with a 6.096m long pole. Security becomes useless when it reaches the point where it prevents you from doing with your device what you wanted to do with it in the first place.

Re:Windows 8 upgrade prices dropped by Microsoft

That's awesome. Windows 8 is the best.. it's like GNOME 3 but from Microsoft.

Multiple trusted repositories

[tepples]

Both Google Play Store and Amazon Appstore tend to be trusted by Android users, as do several lesser-known repositories. Do you plan to explain whether or not each deserves that trust and why?

Re:Multiple trusted repositories

Apps banned from Play for being mal-ware end up on other stores where they continue to enjoy life. Apple's approach has actually proven to be better.

Re:Multiple trusted repositories

[MobileTatsu-NJG]

http://it.slashdot.org/story/11/06/15/183209/more-malware-infected-apps-found-in-android-market

I realize this is anecdotal, but every Android malware story I've seen also mentioned the Marketplace is where they get it. I doubt users 'trust' it so much as they hope there is safety in numbers.

Dumbphone

[tepples]

You could always buy a dumbphone from Virgin Mobile or your country's counterpart. Sure, those are technically also computers, but it takes a computer to modulate and demodulate voice signals on a digital network. Depending on how many calls you need to make away from home, and whether you have an unmetered land line available to make long calls, a dumbphone might cost you $7 per month or less, and unused minutes roll over as long as you keep paying the minimum every 90 days.

Re:Who Are These People?

[ThatsMyNick]

You only had to look at the link to know this very much legitimate research.
 
  Even if it was not, for Gods sake dont try to redefine the word. I hope some journalist does not pick this up and start using it as definition of 'researchers'. Just call them researchers, and you can use an adjective to describe them as what ever kind of researchers you think they are.

Re:Windows 8 upgrade prices dropped by Microsoft

[iiiears]

Agressive pricing frightens slashdotters newly accustomed to Linux's increased market share.

Like every other slashdotter I'll buy a copy for photoshop, mixcraft and games. (Windows is for ralaxation - lol)

Most Android malware is actually distributed ...

via Google's Play Store. This is a KNOWN FACT, not bs.

The official repository IS the problem main. Haven't heard about a single malware being distributed on the Amazon App Store.