Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Rootkit Is Just a Phone Call Away

samzenpus posted more than 4 years ago | from the dial-M-for-malware dept.

Google 190

alphadogg writes "Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious 'rootkit' program they've written for Google's Android phone next month at the Defcon hacking conference in Las Vegas. Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. 'You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program],' said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research."

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

Anti Virus? (3, Insightful)

kobaz (107760) | more than 4 years ago | (#32440094)

Is there going to be a huge market for antivirus software for cell phones within the next few years?

Re:Anti Virus? (1, Insightful)

grantek (979387) | more than 4 years ago | (#32440144)

Well the Apple way of doing things would just be to yank any app that's discovered to have an active exploit, and maybe remote wipe it from phones, then probably disable any infected phones until the OS is reinstalled. If that works for the masses it could be a nightmare for Richard Stallman, because it'll probably spread from there to the desktop.

Re:Anti Virus? (0)

Anonymous Coward | more than 4 years ago | (#32440326)

... If that works for the masses it could be a nightmare for Richard Stallman, because it'll probably spread from there to the desktop.

I think I'm getting tired, because for a couple seconds I had some really strange imagery going on.

Re:Anti Virus? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32440370)

Actually, Apple's way of doing it is to have complex analysis, bounds checking and simulation tools they run on your code before the approve. I'm not saying it's foolproof. It's just one case where not being open has its advantages

Re:Anti Virus? (4, Funny)

Anonymous Coward | more than 4 years ago | (#32440730)

YM:

Apple's way of checking if an app is valid:

1: Does the app use competing products? Yes, denied.
2: Is the app yet another flashlight or fart app? Approved.
3: Does the app mention Google at all? It's outta here.
4: Does the app do Web browsing? Gone.
5: If it passes all of the previous 4, roll a d6. 1-4, approved, 4-6, denied for some random reason even though other apps got approved with the same issues.

Re:Anti Virus? (0, Offtopic)

JustinRLynn (831164) | more than 4 years ago | (#32441730)

Mod parent up, for all the transparency Apple gives developers that might as well be the process.

Re:Anti Virus? (1)

zuzulo (136299) | more than 4 years ago | (#32441590)

VirtualBox on Android. Why not?

Or at least some sort of microkernel based virtualization ... forget about antivirus, firewalls, and all that noise. Just give me a fire and forget OS that is refreshed anew with each power cycle. My cell phone is *supposed* to be an appliance, after all. Keep the data on the network, and refresh the OS from a known good copy every time i turn it on ...

Who am i kidding, there is too much money in OS vulnerabilities for this to ever fly ... ;-)

Re:Anti Virus? (4, Insightful)

v1 (525388) | more than 4 years ago | (#32440146)

Is there going to be a huge market for antivirus software for cell phones within the next few years?

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

Protecting your users from bad people isn't really very difficult. (firewall) Protecting them from themselves, that's a trick. (AV software)

I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years.

Re:Anti Virus? (2, Insightful)

Skuld-Chan (302449) | more than 4 years ago | (#32440550)

Haven't read the article yet - so I wonder if this affects stock android phones. The default setting for android is not to install anything unsigned.

Re:Anti Virus? (1)

Kingrames (858416) | more than 4 years ago | (#32440626)

"I'm surprised we haven't seen a much faster rise in malware for unlocked phones in the last few years."

The room does not become empty when you close your eyes.
- Quote mangled from a joke taken from the Jargon File.

Re:Anti Virus? (1)

grcumb (781340) | more than 4 years ago | (#32440704)

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware.

Can you explain precisely what you mean when you use the term 'unlocked'? You're almost certainly wrong no matter which sense you use it in, but I want to make sure I refute the proper argument. 8^)

Okay, seriously: The valid part of your statement is your mention of 'unsigned software', which I take to mean the Microsoft approach of allowing all comers with little more than a 'caveat emptor' to protect the person who installs it. If that's the case, then yes, it is a design liability.

But even then, it's not inconceivable that a phone maker could sandbox all applications and police the hardware itself, showing the user explicitly what each app is doing, or autonomously applying certain sane rules.

There's no doubt, however, that having central repositories is a useful element in overall system security. Linux and Apple have demonstrated that fairly well.

But none of that has to have anything whatsoever to do with whether the phone is 'locked' or not. In fact, I can't really see how tying the phone to a particular vendor (that is what you mean, right?) has anything whatsoever to do with security. If experience is any guide, this would be counter-productive, because it would encourage vendors not only to go their own way, but to build walls between their respective implementations. Apple notwithstanding, historically these companies handle security very poorly because they see it as a cost centre rather than a baseline requirement.

... Or did you mean 'jail broken'?

Re:Anti Virus? (1, Insightful)

sexconker (1179573) | more than 4 years ago | (#32441706)

"Jail Broken" is a shitty term, and it's less valid that the term you're bitching about.

Unlocked (or Application Unlocked) - able to install unsigned/unapproved/unofficial programs
Carrier Unlocked - able to move across carriers (provided the radio and ID methodology (SIM card, for example) are supported
Rooted - Having root access on the phone
Jail Broken - Derp I'm an Apple user derp

Re:Anti Virus? (0)

Anonymous Coward | more than 4 years ago | (#32442128)

The first one is not "unlocked" it is "unverified" or even "unsigned".

Re:Anti Virus? (4, Insightful)

MrHanky (141717) | more than 4 years ago | (#32441474)

How exactly is OS X an exception? If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

Re:Anti Virus? (1)

node 3 (115640) | more than 4 years ago | (#32441748)

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

If you think OS X has effective protection against trojans and root kits, you're deluding yourself.

It's strange that people seem to always bring this up when no one is making the claim that is supposedly being debunked.

Re:Anti Virus? (2, Insightful)

HappyClown (668699) | more than 4 years ago | (#32441826)

For every "unlocked" phone that allows you to install unsigned software, yes. That's the price you pay for unlocked hardware. There are exceptions to the rule, (OS X) but they are very few and far between.

How exactly is OS X an exception?

Due to the notably disproportionate lack of spyware on the Mac.

By that logic, if I leave my front door open year round yet don't get burgled, my home must be burglar proof!

Re:Anti Virus? (1)

MrHanky (141717) | more than 4 years ago | (#32441992)

You made the claim that OS X was a rare exception to the rule that unlocked hardware (sic) has a virus problem (or actually: that there is "a huge market for antivirus software" for such platforms). Yet this is blatantly untrue: hardly any OS except Windows (and the Amiga, back in the days) has a huge virus problem.

And now you try to make the argument that OS X has little need for anti-virus software due to there being a disproportionate(?) lack of spyware for the platform. Spyware != virus, and a lack of spyware is hardly unique for OS X either.

At any rate, this story has nothing to do with spyware. The root kit can only be installed intentionally or bundled with another program, as a trojan. Mac OS X already has enough of a trojan problem that Mac OS X trojans have been used to create botnets. You fanboys really are a confused and delusional bunch.

Re:Anti Virus? (0)

Anonymous Coward | more than 4 years ago | (#32442092)

Maybe the lack of multitasking will prevent the malware from running in the background. :D

Re:Anti Virus? (1)

zonky (1153039) | more than 4 years ago | (#32440158)

wait, you mean i have to trust the code i execute?

Re:Anti Virus? (2, Insightful)

FatdogHaiku (978357) | more than 4 years ago | (#32440474)

wait, you mean i have to trust the code i execute?

Only on devices you want to reliably and securely use...
it's kind of like that rule about only flossing the teeth you want to keep.

Re:Anti Virus? (2, Insightful)

Totenglocke (1291680) | more than 4 years ago | (#32440162)

I'd rather just see anti-virus software on pc's incorporate definitions for mobile phone viruses / rookits as well - that way you can just run a virus scan once a week with your phone plugged into your computer and not have to worry about killing the battery life on your phone.

Re:Anti Virus? (1)

SQLGuru (980662) | more than 4 years ago | (#32440314)

Wait, you have to plug your phone into your computer? My WinMo phone syncs via Bluetooth (and if I had a data plan, would sync via the 3g).

Actually Kaspersky has a mobile AV that's been available for a while: http://usa.kaspersky.com/products_services/mobile-security.php [kaspersky.com]

Re:Anti Virus? (1)

404 Clue Not Found (763556) | more than 4 years ago | (#32440400)

A cloud-enabled phone that's chained to the computer for security checks? I don't think that's a terribly good idea.

Why can't the virus scanner on the phone just run itself once a week? Or once a night when it's plugged in? Or on-demand when new apps come in / websites load?

Re:Anti Virus? (1)

symbolset (646467) | more than 4 years ago | (#32441104)

D00d - Android is Linux. The only purpose for antivirus in Linux is as a mail filter for Windows mail clients. The solution to this root kit is: don't lend people your phone. The begged question is, "why would I lend someone my phone?"

Re:Anti Virus? (2, Interesting)

mlts (1038732) | more than 4 years ago | (#32440786)

I'd like to see an antivirus scanner put into the fastboot or recovery image. This way, if a phone is rootkitted, someone can boot to the recovery, and run Tripwire like software which would catch unknown kernel modules, and for known malware signatures, a signature based AV would deal with those.

However, lets be realistic: AV software is the absolutely last bastion of defense. Before malware can trip the AV software, the OS or application should have dealt with it by either ignoring it and forbidding it to run, or actively killing what it was doing.

Re:Anti Virus? (1)

Noitatsidem (1701520) | more than 4 years ago | (#32440168)

I'd really hope not.

Re:Anti Virus? (1)

oztiks (921504) | more than 4 years ago | (#32440196)

I believe so, the value of commandeering a mobile phone and then using it for illegitimate financial gain is there, the possibilities are the same as Trojan on a PC, perhaps even more.

A mobile Botnet being able to DoS targets with smartphones and it wouldn't be limited to just internet, it could be done with the phone/sms aspect as well.

Re:Anti Virus? (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#32440296)

Not on the iPhone. :p

Re:Anti Virus? (2, Insightful)

erroneus (253617) | more than 4 years ago | (#32441228)

Don't jump to conclusions about this. A rootkit is not a virus and isn't necessarily malware at all depending on how it is applied and used.

I could describe similar behaving software as an anti-theft and tracking function. Say someone steals my shiny new android phone and I want it back. Once I have some sort of access to the phone, I can ask it to take pictures and send them back to me. I can ask it to get a GPS read and send it back to me. I can ask it to get a log of activities such as options explored and executed, phone calls, text messages, web or other internet activity, track motion and location data to show where the phone has been and when -- anything to help identify where the phone is and who took it. The door to this functionality, of course, would be triggered by a phone call from a particular source (or a particular caller ID) or a specially crafted SMS text message.

This discussion isn't about INFECTING a phone with a phone call or SMS text message. The planting of the rootkit most often comes from the execution of untrustworthy code, for example, a Sony-BMG music CD. The rootkit would be inserted by a game or app that the user himself decided to execute. While there is always the possibility of a web drive-by installation the way we hear about on Windows computers, I think it is more likely that the user would have to be mislead or fooled into running the code to install the rootkit.

Such techniques would be used by both "bad guys" (criminals) and "other bad guys" (law enforcement).

Re:Anti Virus? (0)

Anonymous Coward | more than 4 years ago | (#32441436)

Score: 5, Informative

Re:Anti Virus? (1)

LingNoi (1066278) | more than 4 years ago | (#32442166)

If this is going to work as an anti theft device activated by an sms or phone call how are you going to know which number to call? The first thing a criminal does when stealing your phone is to take the battery and sim out.

Re:Anti Virus? (1)

Timmmm (636430) | more than 4 years ago | (#32442152)

There is already an 'anti-virus' app in the Android market. It has many 5 star reviews, but seeing as there *are* no android viruses yet I assume it just pretends to scan your system and then says 'no viruses found' or something.

Re:Anti Virus? (0, Offtopic)

Evtim (1022085) | more than 4 years ago | (#32442176)

Can I have JUST a telephone please? You know, just to make calls.

So, they are killing the ohh, so dangerous open PC's for the sake of ooops, so dangerous "appliances". Mission accomplished!

Pardon the smell, guys. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32440096)

Pardon the smell, I dropped an Obama in my pants!

Re:Pardon the smell, guys. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32440244)

funny thing about niggers. When they shit their pants, it improves their smell.

Hacking mobiles (2, Interesting)

lobf (1790198) | more than 4 years ago | (#32440104)

Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as they increase in popularity? I'm not being facetious, I come here because I don't know these answers.

Re:Hacking mobiles (0)

Anonymous Coward | more than 4 years ago | (#32440182)

Imagine a mobile based botnet?

The SMS market alone would be huge, say sign 10,000 phones to those crappy subscriber ring tone companies, etc ... the are possibilities endless.

It will be. (3, Interesting)

maillemaker (924053) | more than 4 years ago | (#32440194)

>Is hacking mobile phones a big business nowadays? Should we expect to see more security issues with our smartphones as >they increase in popularity? I'm not being facetious, I come here because I don't know these answers. If it's not, it will be. Clearly there is big business to be made in compromising traditional computer systems today. In the early days (and I've been around computers since the TI99/4A) it seems that "viruses" were primarily made as a prank. But today the biggest threats seem to be botnets which are used for profit to either propagate spam and execute denial of service attacks through distributed means, or simply to skim valuable user account data off of the compromised systems. This is all far beyond the amateur pranks of old. It is now done for financial gain. Cell phones have rapidly become computers. All the benefits of compromising traditional computers will likely follow.

Re:Hacking mobiles (2, Interesting)

Seth024 (1241160) | more than 4 years ago | (#32440250)

That's certainly possible.

The big problem I believe is that there are so many different operating systems (Symbian, iPhone OS, Android...) that all have a part of the market. Being able to write a virus/find a backdoor to control 90% of PCs is very profitable. Just like there are not many people writing virusses for Mac OS or Linux, there are not many viruses for mobile phones (yet).

Re:Hacking mobiles (1)

digitalchinky (650880) | more than 4 years ago | (#32440780)

It used to be in the Symbian S60V2 era. These days as a result of commercial entities wanting to eliminate piracy and others wanting to make wads of cash through sales of certificates, your average cell phone is pretty much locked down. If you want to install an application capable of doing anything more complex than "Hello World" you'll need to have it signed first.

That said, not all handsets are closed, the Nokia N900 comes with its own xterm right out of the box - root is just a 'sudo getroot' away : ) Applications are trivially simple to install. I don't believe Nokia has sold terribly many of them, so I can't imagine it's a popular target for crapware.

Re:Hacking mobiles (1)

erroneus (253617) | more than 4 years ago | (#32441324)

A LOT of useful data on an individual could be collected from smart phones including where they do business and other commerce. So instead of sending out random spam/phishing emails that alert and confuse people because they don't have an account at "Bank of Whatever." They could identify, among other things, what banks and shops they have visited and then send them targeted attacks saying "your recent visit to has made you eligible for this special offer. Please go and sign up for and provide your personal details now!"

The more focused such things can be, the more believable they become. Not only could banking information get compromised, but other financials/personals as well. And this phishing would no longer need to appear to come from banks, it could then come from Best Buy or whatever store you might buy expensive things from.

lol (2, Interesting)

larry bagina (561269) | more than 4 years ago | (#32440112)

Microsoft Talks Back To Google's Security Claims -- coincidence?

Re:lol (0)

Anonymous Coward | more than 4 years ago | (#32440266)

...this "exploit" exists on every phone/pc/mac on the planet.

If they user installs an app and says "yes I give you access to every permission you want on my phone"... then they fucking deserve to be hacked.

Don't worry, be happy! (1)

jo42 (227475) | more than 4 years ago | (#32440120)

Google will fix it in 2.3 Sherbet.

- T. Roll

Re:Don't worry, be happy! (0)

Anonymous Coward | more than 4 years ago | (#32440186)

....this "exploit" is on every phone/pc/mac on the planet.

Re:Don't worry, be happy! (0)

Anonymous Coward | more than 4 years ago | (#32440344)

2.5 Chocolate torte. Mmmmm.

Re:Don't worry, be happy! (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32440412)

It's not a bug. They say "once it's installed." This isn't a rootkit, it's just an app that responds to incoming calls (anyone can do this now). There would still need to be an exploit to get the app installed in the first place. The title is certainly a little misleading.

Re:Don't worry, be happy! (1)

masterwit (1800118) | more than 4 years ago | (#32440442)

It's not a bug.

It's a feature!

Re:Don't worry, be happy! (0, Troll)

JonJ (907502) | more than 4 years ago | (#32441506)

Which you'll have to get a new phone to get, since none of the carriers nor the supplier of the phones have a proper upgrade plan.

Re:Don't worry, be happy! (1)

worx101 (1799560) | more than 4 years ago | (#32442162)

You cannot fix stupid... If a user installs it and accepts everything and the kitchen sink(even if they mean to or not) then there just is no protection against that.

just like installing a trojan on your computer! (5, Interesting)

Anonymous Coward | more than 4 years ago | (#32440122)

...which could let the hacker get access.

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And the ability to "listen" for a call is called a BroadcastReceiver. It's nothing special or hackish. Think a trigger ruleset for Android like you have for your mail client.

Good god.

Re:just like installing a trojan on your computer! (1)

clang_jangle (975789) | more than 4 years ago | (#32440148)

Yep, it's a trojan.

From FTFA:

Once it's installed on the Android phone, the rootkit can be activated via a phone call or SMS (short message service) message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. "You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell [program]," said Christian Papathanasiou, a security consultant with Chicago's Trustwave, the company that did the research.

Re:just like installing a trojan on your computer! (3, Interesting)

AndroidCat (229562) | more than 4 years ago | (#32440240)

(If they can rootkit my Milestone down past the locked loader, I want to know how! [Yeah, of course I got an Android phone, it was .. destiny.])

Odds are there are far more stupid "smartphone" users than PC/Mac ones.

Want to tap virgin pools of stupidity? There's an app for it!

Re:just like installing a trojan on your computer! (1)

JaZz0r (612364) | more than 4 years ago | (#32440322)

What Android version(s) does this affect? The latest public release (v2.1 stock) hasn't even been rooted by the mod community.

Re:just like installing a trojan on your computer! (1)

mlts (1038732) | more than 4 years ago | (#32440378)

Maybe this is where Android "fragmentation" might be good. An exploit that works for Android 1.5 and the Samsung Behold 2 likely won't work on a Droid running 2.1, especially if it uses a kernel module, and will almost definitely won't work if neither phone is rooted.

Re:just like installing a trojan on your computer! (1)

SQLGuru (980662) | more than 4 years ago | (#32440332)

All it takes is one cool app that people want (say, a really cool free Tower Defense game) that incorporates the Trojan. The point of the Trojan is that is pretends to be something you want to get you to install it. Until someone figures out that it's a Trojan, it'll spread like wildfire.

Re:just like installing a trojan on your computer! (0)

Anonymous Coward | more than 4 years ago | (#32440398)

Yes because I won't be suspicious when a Tower Defense game asks me for permission to intercept phone calls???

Re:just like installing a trojan on your computer! (0)

Anonymous Coward | more than 4 years ago | (#32441856)

No. All it takes is for one cool app to contain a trojan that can get past Android's sandbox security model and gain root access. This is a bit different.

Re:just like installing a trojan on your computer! (4, Informative)

mlts (1038732) | more than 4 years ago | (#32440352)

Even if a user gives permissions, they may get their account and messages compromises, but unless there is an exploit the malware uses that isn't known by the modding/rooting community, there is NO WAY that something installed as an APK in a user account on a phone is going to be able to get root access to drop in a kernel module. Even if it did, phones like the Motorola Milestone have signed Linux kernels and are not built with the ability to load modules, so all it would do is nothing or cause the phone to bootloop.

Don't forget, that a lot of kernels on Android phones are built monolithic and not allowing kernel extensions. A custom kernel that is explicitly built to allow .ko files on a G1 is likely what is needed for this exploit.

I can see three ways that this kernel rootkit (which is nothing new -- there have been Linux kernel modules for rootkits since the late 1990s) can get on an Android device, and all three require a rooted phone:

1: The app masquerades as a root utility. There are some utilities which are very useful for rooted phones. Droidwall, Autostarts, Wireless Tether, Wired Tether, root explorer, Titanium Backup, SQLite Editor, and a terminal emulator are must have utilities, because they add a lot of useful functionality. I can see a utility masquerading as something useful for rooted phones, getting installed, then going to town on the phone, replacing BusyBox with a utility that hides the rootkit, opening up a command port, and so on.

2: Some malware is put on a custom ROM. This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

3: An app gets access to the SD card, manages to alter nandroid backups on the card and/or add an update.zip file which is signed, and then runs an update. This way, the malware package would be sucked in implicitly.

So, for the average user with Android, a rootkit isn't going to happen unless it uses an exploit, and these days, RAMDLD exploits and such are rare for phones.

Re:just like installing a trojan on your computer! (1)

toadlife (301863) | more than 4 years ago | (#32440646)

This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.

It wouldn't kill the scene, but it would certainly encourage ROM makers to provide checksums for/sign their releases and not preconfigure the OS to be so promiscuous.

I cook my own Windows Mobile ROMs and sign every custom exe and dll that I insert into the ROM with my own self generated cert and pre-confgure the OS to trust that cert. Most (Windows Mobile) ROM makers just configure the OS to allow unsigned apps by default.

Your idea is a good one. If/when I decide to release my ROM, I will provide checksums for the image.

Re:just like installing a trojan on your computer! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32440752)

"Ubuntu protects you from malware in the same way that a Geo protects you from carjackers." -AC

Your sig is pure troll bullshit, faggot.

Re:just like installing a trojan on your computer! (0, Offtopic)

toadlife (301863) | more than 4 years ago | (#32440856)

And your reaction to it is pure hilarity, moron.

Re:just like installing a trojan on your computer! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32441142)

Yep, I got trolled. No doubt you are proud of your contribution to the human race, douchebag.

Re:just like installing a trojan on your computer! (1)

mlts (1038732) | more than 4 years ago | (#32440900)

It sounds like you know what you are doing and are able to cook ROMs worth downloading. I just think that because compromising phones is so lucrative [1] that it will only be a matter of time before the modding community (be it Windows Mobile, Android, jailbroken iPhone utilities, even the N900) will be strongly hit by this. This is why I like the idea of PGP/gpg signing ROMS, and perhaps urging a popular modding forum (xda-developers, modmymoto, etc.) to sign and store copies of developers' PGP/gpg keys for easy retrieval and validation (so someone impersonating a dev cert wouldn't go far.)

I worry about two things when it comes to modding phones: Piracy and compromised ROMs. Piracy gets app developers to put more pressure on Google, phone makers, and carriers to make their devices more hostile. A compromised ROM, regardless of platform, if it affected a good amount of people would cause phone makers and cell carriers to start putting more root-hostile "features" on their devices, such as the signed kernels on the Milestone, to daemons that run that kill any root process that isn't on a manifest list.

At least PGP/gpg signing of ROMs means an attacker has to go to serious lengths to try to get around it, perhaps by hacking one of the bigger Web forums. Even then, if people already have a copy of the public key, it will be obvious that a ROM was tampered with on download.

[1]: Tons of ways to make money from a compromised phone. Repeatedly dial a long distance number, send out spam via SMS, send out traditional spam via a smtp server, grab user contacts and info for use for targeted phishing or extortion, use the phone's storage for a BitTorrent seed or FTP server, use the phone as a proxy to further hide a blackhat's IP tracks, and so on.

Re:just like installing a trojan on your computer! (0)

Anonymous Coward | more than 4 years ago | (#32441844)

Cyanogen provides md5 checksums of all his ROMS, FWIW.

Re:just like installing a trojan on your computer! (0)

Anonymous Coward | more than 4 years ago | (#32440386)

What can we do to defend against this? To prevent most trojans, we could make sure only known (trusted) users can sell applications. That would require a centralized application marketplace. But even with service representatives pouring over each app for weeks, they aren't going to catch everything. Some apps might have malicious code that doesn't become apparent until long after its installed. To minimize the problem, there should be some way to remote wipe any apps known to be malicious. That way, even a time delayed trojan can be removed from all the phones in the world within hours of being discovered. I bet if we put these kinds of features in place, the geek community would praise us for being forward thinking, and commend our work!

Re:just like installing a trojan on your computer! (1, Funny)

Anonymous Coward | more than 4 years ago | (#32440438)

This is a dumb idea that would cause massive backlash. It would be like treating all your customers like idiots without the sense to look after themselves. Actually people are idiots without the ability to look after themselves so it would probably take off and spread like wildfire through the mildly retarded public.

Re:just like installing a trojan on your computer! (2, Interesting)

RenderSeven (938535) | more than 4 years ago | (#32440462)

What can we do to defend against this?

Generally, dont lend your phone to security researchers at hacking conferences. Writing a rootkit makes good headlines but the article says they freely admit they dont have a clue how to install it with a rogue application.

Re:just like installing a trojan on your computer! (1)

Securityemo (1407943) | more than 4 years ago | (#32440516)

Something being "special or hackish" doesn't matter, as long as it works. The only reason to use convoluted-but-well-known methods instead of the platform API is to dodge security; there is no reason to do such things if there's nothing to dodge.

Re:just like installing a trojan on your computer! (4, Insightful)

khchung (462899) | more than 4 years ago | (#32441386)

I am an Android developer--- and this article is fail. If a user just installs whatever app--- giving it whatever permissions to their phone.. how is this any different from a stupid user installing an app on their PC/MAC that has a trojan built in?

And that's exactly why you and many /.ers cannot see the value proposition of the iPhone. For you, the Andriod phone is just a
smaller PC, a general purpose computer, so if a user don't know enough not to install trojans, that's the users problem.

But to the users, the phone is an appliance, that is used daily and contain lots of private information. The last thing I want is for it to crash or got trojan leaking my data. If the cost of that is I have to subject to Apple's arbitrary rules, cannot run flash, may miss out a few "cool" apps, and may not use the hardware to the fullest possibility, then so be it. I would still be using a 2G dumb phone if none of the phones in the market can give me that value.

Similarly, I gladly accept the restrictions on my PS3 in exchange for eliminating most kinds of cheating (aimbots, etc) in online multiplayer games.

As a user, I don't care if I am not using the hardware to the fullest possibility, what I care is what kind of value proposition the product is giving me.

Wow this article makes it so scary (4, Interesting)

Technomancer (51963) | more than 4 years ago | (#32440152)

From TFA: "The rootkit could also track a victim's location or even reroute his browser to a malicious Web site."
Really? And then what? The malicious website will install another worse rootkit?
It has rootkit! The phone is compromised, all the information you have on it is potentially leaked and the phone doesn't belong to your carrier anymore (it never belonged to you, you realize that, right?) it belongs to the rootkit operator. The only cure is to either flash it with fresh OS or burn it with fire.

Re:Wow this article makes it so scary (1)

fermion (181285) | more than 4 years ago | (#32441364)

I agree that for the most part such a rootkit would be more of an annoyance than anything else. Most people don't do serious work on their phones, and so bank passwords and the like should not be an issue. However even annoyances can be an issue. Remember when everyone was up in arms because malicious web site would substitute or create additional advertising? Remember when everyone had a 'helper' browser plugin that would display pop ups and track all you web browsing then send all that data to advertisers? These really caused no problem for the user, but we didn't like then so spent a great deal of time eradicating them. Not scary, not a big problem, but not liked.

Then of course many Adroid users in the US are on verizon, and I assume many have not opted to pay for the GB plan, so are allowed MB per day, which, since Verizon is the best network in the US, has very good bandwidth. It would not be very difficult, therefore, for a marketer to set up background apps to download huge Flash adverts that would generate page views and revenue. Google is not going to care because they get a cut of all ad revenue, and Verizon won't care because they get to charge for excess data. It is win-win.

And, we can't recall one of the oldest trick in the books, which was merely an annoyance so no one really cared. The reprogramming the modem to dial an especially expensive foreign number. In the case of the Android phone, the phone could be set to dial through one of those expensive long distance services like they have at airports, where a three minute call can be billed back to your cell account for $50. It is not in the article, but if I have control of the phone, then it makes sense that I would have control of the call. And who is being called on that phone. For sale to any investigative office that is willing to pay for it.

Re:Wow this article makes it so scary (1)

Technomancer (51963) | more than 4 years ago | (#32441620)

Actually, phone with a rootkit is a very serious problem. Lots of people DO BANKING on their phones, and check emails, and do all kinds of stuff. So their financial and personal information is at risk.
Also, from all phone operating systems out there Android seems to be the safest choice because of the fact that all apps run in their sandboxes and they are just bytecode executed by VM.
But then there is native SDK too, So I guess apps that use NDK would have it easier to root the phone.
I think a real problem for phones (and PCs) is a simple question of trusting the applications you install. It does not matter whether you download it from the web, or install from app store. It does not matter whether it goes through Apple approval or more lax Google app store. The app may just do little more than what it says it does and send your important information somewhere. There is no test that would prevent it. Even though the apps could be revoked it is going to be too late.
The only possible solution is to have application source code available for review and applications compiled from source.
And that is why we need Gentoo for phones.

Talk about misleading headline! (5, Insightful)

AC-x (735297) | more than 4 years ago | (#32440224)

The headline makes it sound like you can get infected with a root kit from a phone call which is nothing like what's being said, what a load of sensationalist bollocks.

Why would you even want to activate a root kit via a phone call? The phone's got a permanent internet connection so it may as well just poll a server for commands.

Re:Talk about misleading headline! (2, Insightful)

Xest (935314) | more than 4 years ago | (#32441708)

Yep, I'm trying to figure out what exactly the point of this demonstration is.

It's like the guy in question has just figured out that you can write software that does bad things, not just good things, and so has written a piece to demonstrate this.

What can be done is irrelevant, we already know what can be done, the problem is doing it, and that needs an attack vector, ideally a remotely exploitable one for the "best" hacks, and this guy hasn't found any.

I'm not even sure it serves as an example of the future of malware, it's hardly even imaginative. I suspect future malware threats will more likely involve things like P2P networks setup by the malware itself that is used to distribute updates that provide the malware with new exploits to try infecting other machines with or that receives anti-anti-virus updates to kill off any AV software even if attempts are made to update it. In general, I suspect malware will get a whole lot more intelligent in terms of mining data on infected systems, making users believe there's nothing wrong, and in spreading itself.

The example in TFA demonstrates none of this sort of thing, just stuff that's long already been done. Hell, even my examples are hardly that far fetched, I'm sure some malware out there already does a lot of this sort of thing right now.

Re:Talk about misleading headline! (0)

Anonymous Coward | more than 4 years ago | (#32442172)

Polling a server would be noticed in logs. It might be easier to hide as a sleeper cell than as an active cell.

Pure and utter bullshit (4, Insightful)

Anonymous Coward | more than 4 years ago | (#32440238)

You call the phone, the phone doesn't ring, and when the phone realizes that it's being called by an attacker's phone number, it sends him back a shell

And then he can make the phone emit lasers that will kill your dog and drive your car into a wall!

*sigh*

The thing about a rootkit is that you need root before it works.

Installing an app from Market (or anywhere else) won't do it.

So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.

While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)

This is a total non-issue.

Re:Pure and utter bullshit (1)

RyuuzakiTetsuya (195424) | more than 4 years ago | (#32440290)

or an exploit to escalate privileges to root. :)

Re:Pure and utter bullshit (1, Informative)

Anonymous Coward | more than 4 years ago | (#32440392)

Did you see that anywhere in the article?

No. They explicitly said that this could be done with a market app.

In other words, they have no exploit. They have no attack vector. This is just bullshit.

Re:Pure and utter bullshit (1)

404 Clue Not Found (763556) | more than 4 years ago | (#32440426)

The thing about a rootkit is that you need root before it works.

Installing an app from Market (or anywhere else) won't do it.

So.. in order for this to be a threat, the attacker would have to convince the user to root their phone (potentially bricking it), install their trojan app, then give that app root access.

While there may be stupid people around, the number of stupid people who would root their phone, to install an app, and give that app root access, and not know that this a stupid thing to do is miniscule (and IMHO those that would deserve everything they get.)

This is a total non-issue.

Why would you even need root? Just make a trojaned dialer replacement app. There are plenty of dialer apps out there already because the default Android one is rather crappy. Then you'd have access to all the contacts on the phone and the ability to send and receive calls and text messages. The user would have to grant you permission at first, but obviously they'd have to do that for any dialer app.

As for spam? Anything like a webmail app to a multi-inbox like Slidescreen (which grabs messages from Facebook, Twitter, Gmail, email, etc.) could easily sit in the background spamming people with the phone's connection without root.

Android's permissions manager only asks you once per app -- when you install it -- not once every time it tries to do something.

Re:Pure and utter bullshit (0)

Anonymous Coward | more than 4 years ago | (#32441354)

You have to be crazy to buy an Android phone and not root it. I rooted mine almost as soon as I found out how. Root gives you more options, including the ability to install custom roms, that work even better. I would expect that at least 90% of android phones are rooted, or all those people are wasting their phone's abilities. I got a backup app on my phone. I can wipe and reflash the ROM as often as I want. I do it every time a new version is released.

Re:Pure and utter bullshit (1)

404 Clue Not Found (763556) | more than 4 years ago | (#32441440)

They're not talking about you rooting it *for your own sake*; they're talking about malware rootkits.

sooo. yeah? (4, Insightful)

Eil (82413) | more than 4 years ago | (#32440252)

I'm not trying to belittle these guys' security research or anything, but why is it surprising that you can whip up a rootkit which runs on a phone? Anything with a CPU can have backdoors made for it. The hard part has always been getting the backdoors onto arbitrary devices without the owner knowing about it.

Engineer a computer which can be proven secure and then I'll be impressed.

Not feasible (0)

Anonymous Coward | more than 4 years ago | (#32440270)

Meh fag....Too many sandboxes....not feasible for a mainstream virus. Quote me bitch

This article brought to you by.... (1, Insightful)

DrPeper (249585) | more than 4 years ago | (#32440390)

Apple, and possible in some part by Microsoft. Competition is bad, just plain bad, when are we idiot consumers going to get this through our microscopic minds?!

Code can run on processors if installed properly. (5, Insightful)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32440394)

Film at 11.

This guys installed a fucking KERNEL MODULE into that system. Well, they can make it receive calls, or they can make it play fucking tetris. It's code. You can write whatever you want, and execute it however you want, if you have access!

Being able to run code in a given processor is NOT AN EXPLOIT, it's just basic functionality. If I got ahold of your computer, installed a CD drive in it, erased your OS, then installed Ubuntu on it, and used that to play tetris, is that considered a vulnerability too?

It would be a vuln if they had the ability to install that fucking rootkit without physical access to the phone. That's the hard part.

Article is FUD and submiter is trolling. 0/10

Re:Code can run on processors if installed properl (2, Interesting)

GNUALMAFUERTE (697061) | more than 4 years ago | (#32440402)

Sorry to reply to myself, but this ridiculous "research" comes out a day after Google announces it's ditching windows because it's insecure. Anyone smells microsoft behind this "independent research"?

Re:Code can run on processors if installed properl (1)

Mark19960 (539856) | more than 4 years ago | (#32440454)

Or Apple.
There has been a lot of FUD like this lately.

If they target the modding community someone will spot this VERY fast.
If they get this on 10 phones without the owner knowing I would be shocked.

They can do the same to iPhones so like you said, article fails.
Better yet, take the article and replace android with iPhone OS and now you have Apple FUD.

Re:Code can run on processors if installed properl (1)

D H NG (779318) | more than 4 years ago | (#32440886)

Google announced no such thing. It's a news story from the Financial Times that Google neither confirmed nor denied.

Where's the iPhone love?! (-1)

Anonymous Coward | more than 4 years ago | (#32440520)

C'mon, it's supposed to be on iPhone first!

After all, despite APIs being available on other platforms for years before, the iPhone gets outed for developers "phoning home" and reporting all sorts of data. Even things like SMS messages will soon be available on the iPhone (I believe WinMo/Symbian/Blackberry have APIs already...).

Now we hear of "dialing trojans" on WinMo devices.

And now rootkits on Android devices.

C'mon, where's the iPhone love for all these new sorts of trojans and exploits? Apple's just warming up to making APIs available on iPhone OS that exist on other platforms already, all ripe for the spying and hacking and such.

So what ... required physical access (3, Insightful)

smart_ass (322852) | more than 4 years ago | (#32440564)

If I get physical access to your phone I can install something that can steal all your contact info and CC #s ...
How about I steal the phone, steal the info and then reset the phone and use it myself ... no Rootkit required?

What the hell ... how is this news?

Slow day on /.

Re:So what ... required physical access (1)

Fnord666 (889225) | more than 4 years ago | (#32441266)

What the hell ... how is this news?

Apparently it's news to samzenpus, which doesn't say much for the editorial staff here.

Wrong title. (3, Funny)

mallyone (541741) | more than 4 years ago | (#32440654)

Should read: Android rootkit is just a fud call away.

Seems like a good Proof of Concept... (1)

HockeyPuck (141947) | more than 4 years ago | (#32440822)

Sure the researcher had to write a kernel module etc etc... but how does most malware get on peoples computer? They inadvertently install it because they want IM icons, funny sounds, animated pointers etc etc. So what's to say someone doesn't write some Android application that appears to be harmless yet everyone wants it, then mom/dad/grandma install it?

I would be more impressed if the researcher found a way to get rootkit software through Apple's auditing process.

While I'm no apple fanboy, I would think the average Joe would take solace in the fact that a company is auditing every application that is sold through their store.

So...Your Soon-To-Be Wife Loads up Your Android (1)

BoRegardless (721219) | more than 4 years ago | (#32440960)

Ahh...open source cell phones give me that wonderful, fuzzy, anti-establishment, broke ex-husband living in a 1 room apartment feeling.

Re:So...Your Soon-To-Be Wife Loads up Your Android (2, Funny)

tmach (886393) | more than 4 years ago | (#32441012)

If my wife could create a rootkit, I wouldn't be divorcing her!

Physical Access (2, Insightful)

slater86 (1154729) | more than 4 years ago | (#32441348)

Once it's installed on the Android phone

One would assume that if you had physical access to most equipment, its usually game over anyway. No more vulnerable than a netbook really(both being more portable than desktops). Just more people have phones.

Typical Slashdot ... (0, Flamebait)

P1aGu3ed (979864) | more than 4 years ago | (#32441350)

Android Exploit - "FUD, Its simple, not an exploit, its by design, anyone could do it ..." etc etc iPhone Exploit - "Bloody apple, those idiots will ruin the world, what do you expect ..." etc etc Please, the bandwagon is getting full, try getting on another one.

FUD (0)

Anonymous Coward | more than 4 years ago | (#32441456)

"Android Rootkit Is Just a Phone Call Away"

No it bloody isnt.

There is no such thing as a dial to infect rootkit for android.

Microsoft Advises his employees (0)

Anonymous Coward | more than 4 years ago | (#32442086)

to leave Android and turn to more secure Windows Mobile...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?