Silent, Easily Made Android Rootkit Released At DefCon 133
An anonymous reader writes with news that security experts from Spider Labs released a kernel level rootkit for Android devices at DefCon on Friday. "As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.' This ultimately results in full root access on the Android device." The rootkit was developed over a period of two weeks, and has been handed out to DefCon attendees on DVD.
What it doesn't say (Score:5, Interesting)
Do you have to have a rooted device already in order to install it or does it use an exploit to gain this? Will it show the usual warnings about permission requirements when installing?
If it does use an exploit, it would be interesting to use this for regular rooting of the devices.
I posted this story but the editors cut out... (Score:5, Interesting)
... an important question.
(The spider labs people claim) they did this to prompt Google to issue a fix. However, since the carriers seem to be very slow in updating the Android OS for their phones (a substantial number, perhaps a majority have never received an update), WHEN CAN WE EXPECT A FIX to get to the millions of phones out there? Compare this to the Apple ecosystem which received an update for their (admittedly widely publicized) Antennagate issue within weeks (whether or not it actually fixed anything is another question). In general Apple devices are (forcibly?) updated much more quickly. Perhaps this is because of his holinesses... I mean Steve Jobs powers of persuasion. ;)
Of course as an A/C I can't prove it but if you look at the submission, you'll see that's what I said. I no longer login because I feel that while attacking a company's products is fair game (specifically Apple), having stories singling out their users as "selfish" and unkind is not "news for nerds stuff that matters". Am I an Apple fanboi? Let's just say I've used NIX for decades (yes I'm old) and I'm not talking OS X.
Two things ... (Score:4, Interesting)
1st:
Not news. Anything with a processor in it can run software. That software can do a number of things, and, considering that the processor is turing complete, it can actually do anything. Including allowing remote stealth access. That is NOT news and is NOT a vulnerability or anything to get excited about. Show me that you found a buffer overflow in Android's TCP stack that allows you to run arbitrary code on the device remotely. Of course you can put a rootkit in there after gaining access, you could run tetris for all I care. If you need unlimited rw access to the software to setup your malware, that is not fucking news.
2nd:
FTFA:
"Attendees pay $140 in cash to attend and are not required to provide their names to attend the conference. Law enforcement posts undercover agents in the audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
(Reporting by Jim Finkle; additional reporting by Alexei Oreskovic in San Francisco; editing by Andre Grenon)
Wow. Just wow. Attentive Attendees attend to the conference. No shit. Andre Grenon could be a /. editor.
More power to open source! (Score:3, Interesting)
I deem myself lucky that all software I have installed on my N900 is open source, which means I (or anyone else) can check the code, compile it and improve it anytime I feel the need to - it's as simple as on any debian based system, "apt-get source", "make" etc. - That alone makes it the superior platform imho, though obviously it doesn't come with all the bling-bling apps and games that Apfel and Google supplies you with. For me openness trumps gimmicks anytime.
It also don't hurt that many of the tools and scripts I use on my Ubuntu workstation can directly be used on the phone as well.
On a tongue in cheek note: the only two packages (out of 868) that vrms [wikipedia.org] admonishes about are "human-icon-theme" and "tangerine-theme" - but they probably don't pose a security risk
Re:What it doesn't say (Score:3, Interesting)
Where in the article does it state this?
I can't find any info about it at least.
All the article claims is that it is a kernel module, and in that case this is really old news as we had a story about it some time ago.
Re:Not Helpful (Score:3, Interesting)
Re:I posted this story but the editors cut out... (Score:3, Interesting)
I have a Samsung Mobile from Sprint, it's running 2.1 and will no longer be upgraded by Sprint according to their news release.
Another annoyance with carriers having to provide the upgrade is they toss in extra junk programs. I have an amazon MP3 store, sprint live Nascar, and other apps that can not be removed. Samsung also tossed in a few non-standard apps, like Moxier Mail, which costs $25 on the app store. So there are some minor benefits to using the network provided Android.
I like these kernel hacks, if they cause enough problems it may force Sprint to give me 2.2!
NO. (Score:3, Interesting)
If you can "self-destruct" a phone that way, then it becomes a nifty way to do a DoS attack on those phones.
Re:I posted this story but the editors cut out... (Score:2, Interesting)
Normally I am one to not want yet another new law, but I think in this case there should be a law that says these gadget sellers and makers should support their devices for x-years, whether they want to or not, beyond the normal short warranties and covering more stuff. And that would include security fixes. They are obviously just wanting you to trash perfectly functional devices to buy something new all the time.
Re:At talk right now ... NON-ISSUE! (Score:3, Interesting)
But that's the point... no attack vector means nothing interesting. The rootkit and its capabilities are presumed! It's common knowledge that anything software (kernel and higher) can do, a rootkit can do. Software can obviously make calls, read and send text messages, etc., therefore a rootkit can too. Same goes with Apple, by the way.
I'm not saying that there is no attack vector... just that this story is a non-issue, as all it exposes is already obvious. Let a hacker find an attack vector. Hopefully he'll present it next DEFCON, and that would be very interesting. Regardless, the rootkit never was the technical challenge.
FWIW, a subsequent presentation does show a privilege escalation Android exploit. Was very cool. Anyone who can write one of these can drool the rootkit in his sleep.
Re:I posted this story but the editors cut out... (Score:1, Interesting)
Cellphone manufacturers/telcos have historically not patched exploits.
Re:At talk right now ... NON-ISSUE! (Score:1, Interesting)
Where's the fanboyism in this? Anyone with a jailbroken iPhone has exactly the same "vulnerability", and that's that they could install untrusted code with arbitrary privilege. There is no remote attack vector, and for any phone in its stock configuration, there isn't even a local one.
But you keep on rocking with that persecution complex.
Re:I posted this story but the editors cut out... (Score:3, Interesting)
They are by no means forcibly updated, they are just automatically updated. The imperative to update is that the whole community updates quickly and if you stay behind, new 3rd party software is harder to use. For example, if you are on iOS v2 right now (which almost nobody is), there are many apps you can't install until you update. So 77% of Macs are running the latest Mac OS, and even though iOS v4 is only a month old, it's already on a higher percentage of iPhones than Android v2. By September or so, it will be hard to find an iPhone running iOS v3. So Apple platforms are a moving target.