Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Security Cellphones News Linux

Silent, Easily Made Android Rootkit Released At DefCon 133

Posted by Soulskill
from the it-slices-it-dices dept.
An anonymous reader writes with news that security experts from Spider Labs released a kernel level rootkit for Android devices at DefCon on Friday. "As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.' This ultimately results in full root access on the Android device." The rootkit was developed over a period of two weeks, and has been handed out to DefCon attendees on DVD.
This discussion has been archived. No new comments can be posted.

Silent, Easily Made Android Rootkit Released At DefCon

Comments Filter:
  • by Anonymous Coward on Saturday July 31, 2010 @11:55AM (#33096062)

    No, it doesn't need to be rooted, it's a kernel exploit, so it will give you root. The problem is Android people not picking up the Linux kernel fix for this. I guess they're really busy seeing as it was fixed back in May 2009! Shame on them. It just goes to show that you can't trust any of them. You'd expect new Andy release would use a new kernel. I wonder what Froyo is using...

  • Re:Oh how clever... (Score:4, Informative)

    by erroneus (253617) on Saturday July 31, 2010 @12:17PM (#33096214) Homepage

    I think you and many others on your side of the fence are missing something important. You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't. You probably realize that they are too weak even to be considered a lock at all.

    For some im/morality is enough of a deterrent to prevent them from doing bad things. For others, fear of punishment under the law might be enough. But without a doubt, it's not enough for everyone. Some of those people will go to great and surprising lengths to get what they want. And there are most certainly weaknesses and vulnerabilities that are not shared with the general public. And without these larger events that literally celebrate sneaky, underhanded tricks, the "secrets" shared there would also remain as dark, underground secrets that are known by a few.

    Let's put it another way. These events that you seem to believe shouldn't exist serve as a spotlight not only to humiliate the vendors and producers of bad locks, but also sheds light on otherwise dark and unknown vulnerabilities giving the public an opportunity for awareness they wouldn't otherwise have and for them not to become victims of these weaknesses. These celebrations help to reduce the number of secret vulnerabilities by making them less secret.

    Do you really think it would be better if people got owned and never find out why or how?

    Some of these security researchers are the Louis Pasteurs of the day. Before Pasteur, people believed in "spontaneous generation." Currently, many people still believe their computers and other devices are simply magic.

  • Re:Cool (Score:4, Informative)

    by MrHanky (141717) on Saturday July 31, 2010 @01:27PM (#33096592) Homepage Journal

    You don't need to flash your phone to root it. (How do you flash your phone without rooting it?) Here []'s how I did mine.

  • by Anonymous Coward on Saturday July 31, 2010 @01:47PM (#33096700)

    No, this is a kernel module not an application. Kernel modules cannot be installed from the application store.

  • Re:Reverse TCP? (Score:3, Informative)

    by OopsIDied (1764436) on Saturday July 31, 2010 @01:57PM (#33096780)

    It means that the rootkit can establish a connection from the victim to the attacker and receive orders from him/her. Since it's TCP i'm guessing it can also connect to IRC and other services that use TCP rather than UDP or more obscure protocols.

  • by AnEducatedNegro (1372687) on Saturday July 31, 2010 @02:03PM (#33096836)
    uh the rootkit also enables you to break out of the vm. but the problem here is the application inside the vm didn't break out. it has no way of interfacing with the system until the vm creates an interface. so again, you cannot break out of the vm as a developer. there are no magic holes in davlikvm. if you re-read the thread it all started with people saying "omg can we just click and exploit?!" and the answer is no you cannot. you may be able to attack specific devices (again, see sdx-developers).

    i do want to thank you for reaffirming my statement. we need to provide the security ourselves and protect our phones.
  • by Jahava (946858) on Saturday July 31, 2010 @02:21PM (#33096924)

    So yet more developers want to make a make for themselves by elevating a non-issue. I am currently attending their talk, and must admit that I am disappointed.

    The first half of the presentation is them chatting rooting a phone is desirable due to its intimate association with the user.No shit! Everybody knows this.

    So let's get to the interesting part: There is no new attack vector. No propagation from Dalvik VM to kernel. No new technique. They wrote a Linux rootkit, like anyone can do. It is a kernel module. Anyone can make one of those. It hooks the kernel in various places to hide itself from various process / module listings. How innovative? Please.

    The call this an exploit ... nothing is exploited. They willingly participate in the installation at the root level. Their conclusion seems to be that someone with root has access to everything on a system. Shocking, eh?

    The only funny part is that this took them 2 weeks to create. How terribly disappointing.

  • by Anonymous Coward on Saturday July 31, 2010 @06:46PM (#33098402)

    The article is a troll piece hoping for clicks for ads. Here's the bug in question []

Make sure your code does nothing gracefully.