Security researchers Christian Papathanasiou and Nicholas Percoco, from tech security firm Trustwave, have announced that they plan on demonstrating an Android rootkit at the Defcon hackers conference in July. The rootkit, which can be activated silently via an incoming SMS or phone call, is apparently a port of an existing Linux rootkit.
“You call the phone, the phone doesn’t ring, and when the phone realizes that it’s being called by an attacker’s phone number, it sends him back a shell”
According to Papathansiou, as the rootkit runs as a Linux kernel module, it can access everything; “Because we interface with the kernel, the opportunities to abuse this are limitless“. The rootkit could be used to steal personal data, pinpoint the owner’s location via GPS or even redirect any phone calls (such as emergency calls, or calls to banks etc) to a fake number. Of course, any rootkit like this would need to be installed first, but it wouldn’t be the first time that malware has been bundled with an app on the Android Market, although this is a rare occurance and Google are quick to remove any offending apps.
As some commenters have pointed out though; whilst it’s very impressive that a rootkit has been created that can infect Android devices, it does seem a little pointless thus far. After all, a rootkit is designed to infect a system silently, covering it’s tracks and avoiding detection. There’s little point in going to such lengths to infect an Android phone when the vast majority of phones don’t have any antivirus or malware protection.
While being all nice and fun this is not to be taken seriously. First of all: the rootkit can not be installed via an apk from the market. Second: it’s a kernel module so you need to flush the ROM of the phone to be targeted. That would need physical access. If you have physical access all bets are off anyways no matter what system you have.
Now, if they’d had found a mechanism to somehow flush a new ROM to your phone when opening an apk installed from the market this would be news worthy. So far it’s a simple port of an already known Linux rootkit.
Nothing to see here, move along…
Thanks for the input. I hadn’t realised it would have required a flush of the ROM.
Correct me if I am wrong. I think their rootkit is a loadable kernel module, therefore, it can be installed as long as the victim has root privilege. There isn’t a need to reflash it into the ROM.
As a result, only rooted Android is vulnerable to this rootkit.