Android is virtually Linux with ~3MB of kmode patches and Linux rootkits are nothing new. The integration with the Android runtime and Android kernel patches is interesting. What I find more interesting:
- The OS/manufacturers only offer soft-resets of user data. If the rootkit is installed onto the system partition it will survive these soft resets as the /system partition is kept more or less intact. - As a security app vendor we can't reach outside of the sandbox to examine privileged arenas of the device. (Unless we support jailbroken phones or partner with enterprise mgmt frameworks currently being baked into devices) These two caveats indicate that these Android rootkits will be a fully persistent threat. -R > -----Original Message----- > From: [email protected] [mailto:android- > [email protected]] On Behalf Of Tim > Sent: Thursday, September 06, 2012 10:22 AM > To: christian papathanasiou > Cc: [email protected]; Subodh Iyengar > Subject: Re: [android-security-discuss] Re: Security boffins brew devilish > Android rootkit > > Sort of, not trying to take anything away, it's a nice rootkit. Though, in the > end, an LKM is an LKM... It's not really a new technique or a specific > vulnerability in Android. > > If attacker has root, then game the is essentially over. > > -Tim Strazzere > > > > On Thu, Sep 6, 2012 at 10:20 AM, christian papathanasiou > <[email protected]> wrote: > > > On the topic of (real) kernel-level Android rootkits, I find the > following initiative quite noteworthy: > > http://redmine.poppopret.org/projects/suterusu > > Fully fledged kernel rootkit with all the functionality we know and > love. The only thing missing is a reverse shell. > > He also created a kernel level hook which unlocks the screenlock of > an infected mobile irregardless of swipe code set if you hold down your > phone's volume keys in a particular sequence. > > Now *that* my friends is how it is done, anything else we can > dismiss as child's play. > > Christian Papathanasiou > > On Sep 6, 2012 6:08 PM, "Tim" <[email protected]> wrote: > > > What's leading you to believe #2? I agree that is the solution > if this is indeed tapjacking. > > Though sadly, every time I or other people have asked for a > PoC or explanation, we've been met with radio silence. Until I can get my > hands on this or a full explanation, I'm inclined to believe that this "rootkit" > is just a custom launcher. > > -Tim Strazzere > > > > On Thu, Sep 6, 2012 at 10:04 AM, Subodh Iyengar > <[email protected]> wrote: > > > Three things: > 1. This type of malware is already known in the > community, so much so that it already has a name for itself, "Tapjacking". > 2. This is already solved using the > setFilterTouchesWhenObscured flag in Gingerbread and beyond. > 3. This type of not really a "rootkit", when the OS > can detect it's running. > > > On Wednesday, July 4, 2012 2:22:05 AM UTC-7, > RichardC wrote: > > > http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking > _rootkit/ > <http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking_rootki > t/> > > > "The clickjacking vulnerability is present in > Android 4.0.4 (Ice Cream Sandwich) and earlier versions of the smartphone > OS. The mechanism - described as a "user interface readdresing attack" - > means the malware can be installed by a user thinking he or she is agreeing > to some other action and without a reboot. No privilege escalation is > needed, nor any nobbling of the operating system's core kernel." > > > > -- > You received this message because you are > subscribed to the Google Groups "Android Security Discussions" group. > > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/bb9GUmu- > cVEJ. > > To post to this group, send email to android- > [email protected]. > To unsubscribe from this group, send email to > [email protected] <mailto:android- > security-discuss%[email protected]> . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > > > > -- > You received this message because you are subscribed to > the Google Groups "Android Security Discussions" group. > To post to this group, send email to android-security- > [email protected]. > To unsubscribe from this group, send email to android- > [email protected] <mailto:android-security- > discuss%[email protected]> . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to android-security- > [email protected]. > To unsubscribe from this group, send email to android-security- > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en.
smime.p7s
Description: S/MIME cryptographic signature
