Sort of, not trying to take anything away, it's a nice rootkit. Though, in the end, an LKM is an LKM... It's not really a new technique or a specific vulnerability in Android.
If attacker has root, then game the is essentially over. -Tim Strazzere On Thu, Sep 6, 2012 at 10:20 AM, christian papathanasiou < [email protected]> wrote: > On the topic of (real) kernel-level Android rootkits, I find the following > initiative quite noteworthy: > > http://redmine.poppopret.org/projects/suterusu > > Fully fledged kernel rootkit with all the functionality we know and love. > The only thing missing is a reverse shell. > > He also created a kernel level hook which unlocks the screenlock of an > infected mobile irregardless of swipe code set if you hold down your > phone’s volume keys in a particular sequence. > > Now *that* my friends is how it is done, anything else we can dismiss as > child's play. > > Christian Papathanasiou > On Sep 6, 2012 6:08 PM, "Tim" <[email protected]> wrote: > >> What's leading you to believe #2? I agree that is the solution if this is >> indeed tapjacking. >> >> Though sadly, every time I or other people have asked for a PoC or >> explanation, we've been met with radio silence. Until I can get my hands on >> this or a full explanation, I'm inclined to believe that this "rootkit" is >> just a custom launcher. >> >> -Tim Strazzere >> >> >> On Thu, Sep 6, 2012 at 10:04 AM, Subodh Iyengar <[email protected]>wrote: >> >>> Three things: >>> 1. This type of malware is already known in the community, so much so >>> that it already has a name for itself, "Tapjacking". >>> 2. This is already solved using the setFilterTouchesWhenObscured flag in >>> Gingerbread and beyond. >>> 3. This type of not really a "rootkit", when the OS can detect it's >>> running. >>> >>> >>> On Wednesday, July 4, 2012 2:22:05 AM UTC-7, RichardC wrote: >>>> >>>> http://www.theregister.co.uk/**2012/07/04/poc_android_** >>>> clickjacking_rootkit/<http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking_rootkit/> >>>> >>>> >>>> *"The clickjacking vulnerability is present in Android 4.0.4 (Ice >>>> Cream Sandwich) and earlier versions of the smartphone OS. The mechanism - >>>> described as a "user interface readdresing attack" - means the malware can >>>> be installed by a user thinking he or she is agreeing to some other action >>>> and without a reboot. No privilege escalation is needed, nor any nobbling >>>> of the operating system's core kernel."* >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Android Security Discussions" group. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msg/android-security-discuss/-/bb9GUmu-cVEJ. >>> >>> To post to this group, send email to >>> [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/android-security-discuss?hl=en. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
