Silent, Easily Made Android Rootkit Released At DefCon 133
An anonymous reader writes with news that security experts from Spider Labs released a kernel level rootkit for Android devices at DefCon on Friday. "As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.' This ultimately results in full root access on the Android device." The rootkit was developed over a period of two weeks, and has been handed out to DefCon attendees on DVD.
What it doesn't say (Score:5, Interesting)
Do you have to have a rooted device already in order to install it or does it use an exploit to gain this? Will it show the usual warnings about permission requirements when installing?
If it does use an exploit, it would be interesting to use this for regular rooting of the devices.
Re: (Score:3, Insightful)
Wouldn't it be trivial for a developer to add the code to an app store offering that seems to have some legitimate need for any permissions requested?
Re: (Score:1, Informative)
No, this is a kernel module not an application. Kernel modules cannot be installed from the application store.
Re: (Score:2, Informative)
No, it doesn't need to be rooted, it's a kernel exploit, so it will give you root. The problem is Android people not picking up the Linux kernel fix for this. I guess they're really busy seeing as it was fixed back in May 2009! Shame on them. It just goes to show that you can't trust any of them. You'd expect new Andy release would use a new kernel. I wonder what Froyo is using...
Re: (Score:3, Interesting)
Where in the article does it state this?
I can't find any info about it at least.
All the article claims is that it is a kernel module, and in that case this is really old news as we had a story about it some time ago.
Re:What it doesn't say (Score:4, Informative)
The article is a troll piece hoping for clicks for ads. Here's the bug in question [secunia.com]
Re: (Score:2)
2.6.32.9-g103d848 is what uname on my 2.2 running droid says.
Re: (Score:2)
Assuming that the rootkit works without needing any suspicious permissions, you won't get any additiona
Re:What it doesn't say (Score:5, Insightful)
Re: (Score:3, Insightful)
Really? Can't break out of the VM, period?
If the application uses this [android.com] little toolchain to provide a native code .so, you're able to break right on out of the VM, possibly never to return. It's not very hard at all- and there's a host of possible exploits to apply once you're in that space, all depending on how locked down the user account actually is on your Android device.
Let's all face a real fact here. Security has little to do with technology in and of itself. There's an aspect of it within the des
Re: (Score:3, Informative)
i do
Re: (Score:2)
Actually, if you make a native call, you're outside of the VM unless the code you called gives it back to the VM. It's been the same since the UCSD P-Code system DECADES ago (and, yes, I've been at it that long, folks...). Any system calls you make or similar leave you open to attack.
It's NOT unhackable. It's not invulnerable. If you think it is, you're fooling itself. Now, your statement wasn't one of that- it was one of the VM being incapable of being broken out of as a sandbox. Which, you will find
Re: (Score:2)
itself==yourself... Sigh... Need to check my posts a little closer before submitting them.
Re: (Score:1)
It's also time to realize that our phones are full fledged computers. You gotta protect them.
I completely agree. I keep my iPhone in a condom at all times. I get some funny looks when I'm holding it, especially when I'm not using my bluetooth, but it's worth it to be safe.
Re: (Score:2, Funny)
Helps with reception too.
Re: (Score:3, Insightful)
This is no different than having a rootkit on your windows box and tethering it through your phone. All the phone company sees are packets. It's also time to realize that our phones are full fledged computers. You gotta protect them.
Eh, oops... You just lost 99% of the general audience.
The phone that will win the market is the phone made where the hardware/software/service providers are willing to guarantee to you to make consistent and continued effort to protect our phone from malware and problems, versus just declare it a "computer" and let YOU do it.
Re: (Score:2)
Everything is a computer now or soon will be. Not everyone is a computer scientist or soon will be. Therefore, computers have to be secured by the manufacturer, not by the user.
This is consumer computing, not kit sales. Android phones are sold to consumers. There is no excuse for the manufacturer not patching them. Any comparison that is similar to Windows is not a defense, it's an indictment. Consumers did not choose Windows ... PC makers did.
Re: (Score:2)
What the fuck does iPhone have to do with this? Absolutely nothing.
You don't have to sneak anything into Android Market. The apps aren't audited, and apps can be installed from other sources as well. And since there is so little money in it, the incentive to put on a black hat is large. This is all 180 degrees opposite to iPhone. Completely different.
Re: (Score:2)
What the fuck does iPhone have to do with this? Absolutely nothing.
I think his point was that if you can sneak something like that into the iPhone's app store, surely it's easy to get it in the android app store. Don't think he realised the android app store is basically free to get into.
You don't have to sneak anything into Android Market. The apps aren't audited, and apps can be installed from other sources as well. And since there is so little money in it, the incentive to put on a black hat is large. This is all 180 degrees opposite to iPhone. Completely different.
IIRC, it's basically a 100$ to get an app into the itunes app store. It's harder to get a proof of concept in there, but I'm pretty sure anyone motivated to put some real malware in there stands to make a bit more than that. Even if I follow your assumption that there's more legit money to
A little social engineering there? (Score:2)
Nice example that you wanted him to use -- the one that was shown to NOT be what the news made it out to be. Are you trying to trick him into making a false anecdote to buttress his claim, thereby giving you reason to laugh at him for that?
Re: (Score:1)
Re: (Score:2)
The purpose of rootkits is to allow you to keep root access after you've gotten it, not to give it to you in the first place. Getting it in the first place is outside the scope of this software.
Apple (Score:1, Insightful)
iPhone will always be the safest phone, all you linux and windows noobs getting your viruses and what not. All hail Apple!
My phone is safer than the iphone (Score:1)
Unfortunately, they turned off the analogue towers here a few years ago....
Re: (Score:2)
I think your post's parent is hearing voices in something other than a cell phone
Re: (Score:2)
It's just you:
Domain Name: CULTOFMAC.COM
Creation Date: 31-jan-2002
Not Helpful (Score:2, Insightful)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:1, Funny)
Just another assh---
I find myself wondering about the sort of person who has no problems with the word "ass" but is so offended by the word "hat" that he (or she) feels the need to censor it in a slashdot comment.
Re: (Score:2)
I found myself wondering when "assh" was released and why I missed it, and, most importantly, how it is different from bash and zsh.
I guess it's meant to be a BOFH's shell of choice.
Re: (Score:2)
Probably someone who's used to working around bad word filters. A lot of the lolspeak you find in online games these days makes a lot more sense when you realise it partly grew out of a desire to dodge autobans and the like.
Re: (Score:3, Insightful)
Therefore if the Android OS is to be shown t
Re: (Score:2)
We already know from this conference that "Jackeeey Wallpaper" collects and publishes phone numbers and browser history from the phone
Actually what we know is that no such thing happened and that nearly the whole story was made up [techcrunch.com]. I suppose it is still fun to spread the FUD around though!
Re: (Score:2)
Oh how clever... (Score:2, Funny)
I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags. I'm going to a black-hat muggers conference to hand out cudgels and more detailed instruction. But that doesn't make be an utter scumbag, oh no. I'm a "security researcher", that's what I am, only interested in increased security for old ladies.
Re:Oh how clever... (Score:4, Funny)
I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags.
Already patched; the handbags have been upgraded to include a pink-enameled snub .38.
Re: (Score:1)
Re: (Score:2)
It's funny because it's true, [usgalco.com] scroll down to the bottom, they have a whole line of purses with built-in holsters.
Re: (Score:1)
Re:Oh how clever... (Score:4, Informative)
I think you and many others on your side of the fence are missing something important. You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't. You probably realize that they are too weak even to be considered a lock at all.
For some im/morality is enough of a deterrent to prevent them from doing bad things. For others, fear of punishment under the law might be enough. But without a doubt, it's not enough for everyone. Some of those people will go to great and surprising lengths to get what they want. And there are most certainly weaknesses and vulnerabilities that are not shared with the general public. And without these larger events that literally celebrate sneaky, underhanded tricks, the "secrets" shared there would also remain as dark, underground secrets that are known by a few.
Let's put it another way. These events that you seem to believe shouldn't exist serve as a spotlight not only to humiliate the vendors and producers of bad locks, but also sheds light on otherwise dark and unknown vulnerabilities giving the public an opportunity for awareness they wouldn't otherwise have and for them not to become victims of these weaknesses. These celebrations help to reduce the number of secret vulnerabilities by making them less secret.
Do you really think it would be better if people got owned and never find out why or how?
Some of these security researchers are the Louis Pasteurs of the day. Before Pasteur, people believed in "spontaneous generation." Currently, many people still believe their computers and other devices are simply magic.
Re:Oh how clever... (Score:4, Funny)
computers and other devices are simply magic.
Why wouldn't they; some of them are even advertised that way.
Re: (Score:1, Insightful)
If you're going to believe in advertising, you might as well believe in magic anyway
Re: (Score:2)
If you're going to believe in advertising, you might as well believe in magic anyway
Have a closer look at most of the people all around you.
Now read what you just wrote, once again.
Re: (Score:2, Insightful)
computers and other devices are simply magic.
Why wouldn't they; some of them are even advertised that way.
Like my electronics teacher told my class "if you really think that n-p-n junctions are actually how semi-conductors work, you'll believe anything you are told".
The scientific and logical explanations for the phenomena that underlie the technology we use are simply that, explanations. You'll never see n-p-n junctions under any microscope, because there probably aren't any.
Even if there were, think about it, it won't make the phenomena of natural processes any less magical.
All is magic...
Re: (Score:1, Insightful)
"A wise man once said that any sufficiently advanced technology is indistinguishable from magic"
for many people we've reached that point
Re: (Score:2)
You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't.
Absolutely! Well, maybe it would be sufficient for, like, an ATM...
Re: (Score:2)
I think you and many others on your side of the fence are missing something important. You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't. You probably realize that they are too weak even to be considered a lock at all.
That brings up a funny story.
When I was in 9th grade, I used one of those cheap locks to lock up my gym/tennis crap (just tennis shorts, shoes, nothing big) and someone broke it open to steal my shorts. Well, seeing as they are tennis shorts, and only people that play tennis usually wear them, it wasn't hard for me to figure out who stoled them.
So what did I do?
Nothing. He was a big thug and it wasn't worth me getting my ass kicked.
Re: (Score:1)
Re: (Score:3, Insightful)
In this case, the little old ladies already have to be holding the cudgel as well as the handbag.
Re: (Score:2)
I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags. I'm going to a black-hat muggers conference to hand out cudgels and more detailed instruction. But that doesn't make be an utter scumbag, oh no. I'm a "security researcher", that's what I am, only interested in increased security for old ladies.
Sorry, My Great-Great-Great-notsoGreat-Grandfather patented this back in 1800's. It's in public domain now.
Re: (Score:1)
Cool (Score:2)
Can this be used to gain root on Android devices with a locked bootloader? That would be neat. Imagine rooting your phone without having to flash it.
Re:Cool (Score:4, Informative)
You don't need to flash your phone to root it. (How do you flash your phone without rooting it?) Here [doshaska.net]'s how I did mine.
I posted this story but the editors cut out... (Score:5, Interesting)
... an important question.
(The spider labs people claim) they did this to prompt Google to issue a fix. However, since the carriers seem to be very slow in updating the Android OS for their phones (a substantial number, perhaps a majority have never received an update), WHEN CAN WE EXPECT A FIX to get to the millions of phones out there? Compare this to the Apple ecosystem which received an update for their (admittedly widely publicized) Antennagate issue within weeks (whether or not it actually fixed anything is another question). In general Apple devices are (forcibly?) updated much more quickly. Perhaps this is because of his holinesses... I mean Steve Jobs powers of persuasion. ;)
Of course as an A/C I can't prove it but if you look at the submission, you'll see that's what I said. I no longer login because I feel that while attacking a company's products is fair game (specifically Apple), having stories singling out their users as "selfish" and unkind is not "news for nerds stuff that matters". Am I an Apple fanboi? Let's just say I've used NIX for decades (yes I'm old) and I'm not talking OS X.
Re: (Score:2)
Re: (Score:1, Interesting)
Cellphone manufacturers/telcos have historically not patched exploits.
Re: (Score:2)
> Apple has historically been very slow in patching exploits.
Bullshit. That is just not true. Java is a bad example because it's 3rd party software, not system software. The reality is that every Apple device gets a new kernel every few months, and a number of security patches per year.
Apple may take a little longer than others to release a patch for an issue that say, exists on all Unix, because they do extra testing due to the fact that they have consumer and creative users. Most Macs don't have an I-T
Re: (Score:3, Interesting)
I have a Samsung Mobile from Sprint, it's running 2.1 and will no longer be upgraded by Sprint according to their news release.
Another annoyance with carriers having to provide the upgrade is they toss in extra junk programs. I have an amazon MP3 store, sprint live Nascar, and other apps that can not be removed. Samsung also tossed in a few non-standard apps, like Moxier Mail, which costs $25 on the app store. So there are some minor benefits to using the network provided Android.
I like these kernel hacks
Re: (Score:2, Interesting)
Normally I am one to not want yet another new law, but I think in this case there should be a law that says these gadget sellers and makers should support their devices for x-years, whether they want to or not, beyond the normal short warranties and covering more stuff. And that would include security fixes. They are obviously just wanting you to trash perfectly functional devices to buy something new all the time.
Re: (Score:1)
As long as the phones are tied to a two year contract - certainly. As long as they are conspiring with the hardware manufacturers certainly. I do not mind buying some new all the time, indeed I wouldn't mind upgrading my Droid to either an Incredible or a Droid-2 when it comes out, but unless I pay some extortionate price for the thing I can't. Yes, I said extortionate deliberately - their price for the device is inflated so as to only purchase in two year increments. There is no way that my Droid costs mor
Re: (Score:1)
Ya, pretty radical left, I know....
Re: (Score:2)
Re: (Score:2)
Interestingly enough - the Amazon mp3 app comes with the stock Nexus One rom ;).
Re: (Score:2)
I have a Samsung Mobile from Sprint,
99.999% sure you mean "Moment" not "Mobile".
I have one also, and it is the most disappointing tech purchase I've ever made...
it's running 2.1 and will no longer be upgraded by Sprint according to their news release.
Another annoyance with carriers having to provide the upgrade is they toss in extra junk programs. I have an amazon MP3 store, sprint live Nascar, and other apps that can not be removed. Samsung also tossed in a few non-standard apps, like Moxier Mail, which costs $25 on the app store. So there are some minor benefits to using the network provided Android.
I like these kernel hacks, if they cause enough problems it may force Sprint to give me 2.2!
Dream on. Nothing can force Sprint to put out a 2.2 load for the Moment, because it is not their device. It is Samsung's hardware, and Samsung has made every dime they ever can from every Moment sold so far, and they have no interest in having any more sold. The phone has serious widely reported defects[0] [slashdot.org] and Samsung has already moved on to their next round of consumer fraud^W^Wmode
Re: (Score:2)
Nope. Apple does not force any software update on anyone. I have my original iPhone still running at 2.something (with the SMS flaw), simply because I was too lazy to do the required jailbreaking on it.
This is unlike say, the Palm Pre, where you can delay an update, but you can't avoid it. I think Android devices are also voluntary updates as well, but th
Re: (Score:1)
In this particular case there is nothing to patch - the iPhone is *just* as vulnerable to this as Android too.
In order to run this particular "exploit" you have to first root the phone, wipe your old OS off the phone, and install the new one they provide. One can also jailbreak and iPhone and install a different OS or rootkit on their phone too. If you want to "patch" this do what Motorola did with the Droid-X - disallow a custom rom to be installed and not allow you outside the dalvik VM (and in that case
Re: (Score:3, Interesting)
They are by no means forcibly updated, they are just automatically updated. The imperative to update is that the whole community updates quickly and if you stay behind, new 3rd party software is harder to use. For example, if you are on iOS v2 right now (which almost nobody is), there are many apps you can't install until you update. So 77% of Macs are running the latest Mac OS, and even though iOS v4 is only a month old, it's already on a higher percentage of iPhones than Android v2. By September or so, it
Re: (Score:2)
There probably isn't a fix - as this is a kernel module it would be tricky at best to install from a regular app (from inside the vm). This would mostly affect phones that have easily customizable roms.
Checking to see if the kernel is tainted is tricky because once the kernel is patched by malicious code its pretty much game over from that point on as the rootkit is going to cloak itself from anything that could check.
Apple would have the same problem - with little recourse, but then they don't really care
Two things ... (Score:4, Interesting)
1st:
Not news. Anything with a processor in it can run software. That software can do a number of things, and, considering that the processor is turing complete, it can actually do anything. Including allowing remote stealth access. That is NOT news and is NOT a vulnerability or anything to get excited about. Show me that you found a buffer overflow in Android's TCP stack that allows you to run arbitrary code on the device remotely. Of course you can put a rootkit in there after gaining access, you could run tetris for all I care. If you need unlimited rw access to the software to setup your malware, that is not fucking news.
2nd:
FTFA:
"Attendees pay $140 in cash to attend and are not required to provide their names to attend the conference. Law enforcement posts undercover agents in the audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
(Reporting by Jim Finkle; additional reporting by Alexei Oreskovic in San Francisco; editing by Andre Grenon)
Wow. Just wow. Attentive Attendees attend to the conference. No shit. Andre Grenon could be a /. editor.
Re: (Score:2)
Speaking of which, I was kind of wondering if this was some underhanded attempt at an attack on the image of Android by Apple. Isn't this what they called FUD in regards to Microsoft propaganda? This is definitely FUD as well, and maybe Apple is the one that is propagating it these days. Though they are smarter about not tying it back to themselves...
More power to open source! (Score:3, Interesting)
I deem myself lucky that all software I have installed on my N900 is open source, which means I (or anyone else) can check the code, compile it and improve it anytime I feel the need to - it's as simple as on any debian based system, "apt-get source", "make" etc. - That alone makes it the superior platform imho, though obviously it doesn't come with all the bling-bling apps and games that Apfel and Google supplies you with. For me openness trumps gimmicks anytime.
It also don't hurt that many of the tools and scripts I use on my Ubuntu workstation can directly be used on the phone as well.
On a tongue in cheek note: the only two packages (out of 868) that vrms [wikipedia.org] admonishes about are "human-icon-theme" and "tangerine-theme" - but they probably don't pose a security risk
Re: (Score:2)
Re: (Score:2)
I'm always willing to get my facts straight
Re: (Score:3, Insightful)
And have you?
If you haven't, you're not that much better off. Assuming others have read the source and checked for security isn't a very good policy.
Difference between open source and closed source (Score:1)
With open source, it's easier for the good guys to spot - and fix - problems.
Reverse TCP? (Score:2)
What does that even mean?
Re: (Score:1, Funny)
What does that even mean?
PCT. Duh.
Re: (Score:3, Informative)
It means that the rootkit can establish a connection from the victim to the attacker and receive orders from him/her. Since it's TCP i'm guessing it can also connect to IRC and other services that use TCP rather than UDP or more obscure protocols.
Re: (Score:2)
Ohhh they didn't mean reversing the concept of TCP, they really meant to just reverse the direciton of connection. They really could've phased that better.
Justification for eFuses? (Score:1)
Looks like MOT is thinking about this--if you do want a secure phone, seems like hardware verification of ROMs and bootloader are a necessary starting point. That at least gives you a solid foundation to build a security infrastructure on. Now let's see MOT build on this by releasing rootkit detector
NO. (Score:3, Interesting)
If you can "self-destruct" a phone that way, then it becomes a nifty way to do a DoS attack on those phones.
Re: (Score:2, Insightful)
Re: (Score:2)
I would rather root my phone, than have motorola provide security. By which they mean decide what software you are allowed to use.
At talk right now ... NON-ISSUE! (Score:5, Informative)
So yet more developers want to make a make for themselves by elevating a non-issue. I am currently attending their talk, and must admit that I am disappointed.
The first half of the presentation is them chatting about.how rooting a phone is desirable due to its intimate association with the user.No shit! Everybody knows this.
So let's get to the interesting part: There is no new attack vector. No propagation from Dalvik VM to kernel. No new technique. They wrote a Linux rootkit, like anyone can do. It is a kernel module. Anyone can make one of those. It hooks the kernel in various places to hide itself from various process / module listings. How innovative? Please.
The call this an exploit ... nothing is exploited. They willingly participate in the installation at the root level. Their conclusion seems to be that someone with root has access to everything on a system. Shocking, eh?
The only funny part is that this took them 2 weeks to create. How terribly disappointing.
Re: (Score:3, Interesting)
But that's the point... no attack vector means nothing interesting. The rootkit and its capabilities are presumed! It's common knowledge that anything software (kernel and higher) can do, a rootkit can do. Software can obviously make calls, read and send text messages, etc., therefore a rootkit can too. Same goes with Apple, by the way.
I'm not saying that there is no attack vector... just that this story is a non-issue, as all it exposes is already obvious. Let a hacker find an attack vector. Hopefully he'l
Re: (Score:1, Insightful)
What the hell are you talking about?
The OP makes a perfectly valid point...
Little sensitive much?
Re: (Score:1, Interesting)
Where's the fanboyism in this? Anyone with a jailbroken iPhone has exactly the same "vulnerability", and that's that they could install untrusted code with arbitrary privilege. There is no remote attack vector, and for any phone in its stock configuration, there isn't even a local one.
But you keep on rocking with that persecution complex.
Re: (Score:1)
Yea because if you jailbreak and iPhone we all know you can't install malicious software. If you could then we would all be making 500+ posts over it. Here not only do you have to root the phone but you have to erase your old OS and install theirs - obviously MUCH easier than on the iPhone (and there is a fix for this - it is called and eFuse on the Droid-X but that is Evil(TM) and shouldn't be allowed).
It is not a *new* attack vector nor a particularly interesting one any more than a rootkit on a jailbroke
I Don't Care (Score:1)
I only do online banking with my phone.... all the important stuff like Facebook and Twitter I ONLY do from my Windows 2000 machine at home. (Security through Obscurity - you should try it sometime)
"Walled Garden": BAD! "Open Sores": GOOD! (Score:2)
"Paging Ed Felten. Will a Mr. Ed Felten please pick the white courtesy 'PWN', please? Thank you!"
That's what they think. (Score:2, Troll)
I bet the Android rootkit isn't the only rootkit on that CD... I for one wouldn't put anything I obtained at DefCon into any equipment I owned. Maybe not even into my shredder.
Re: (Score:2)
I bet the Android rootkit isn't the only rootkit on that CD... I for one wouldn't put anything I obtained at DefCon into any equipment I owned. Maybe not even into my shredder.
Ya, that happened to me. Had a disc with some virus & trojans on it. I put it in my electric shredder and sure enough, my shredder got infected. Then it, using the electric outlet, infected my oven, my fridge, my alarm clock and dang it, my computer.
That's why you should never shred anything.
Re: (Score:2)
I bet the Android rootkit isn't the only rootkit on that CD... I for one wouldn't put anything I obtained at DefCon into any equipment I owned. Maybe not even into my shredder.
I use my Blendtec. Seriously. It blends everything, and I have never once had a problem with it being hacked. Just blended some DefCon stuff earlier tonight, too. I keep the blender right here next to my... --Huh. That's weird. It was here just a few minutes ago. What is that strange electrical sound coming from my closet? Probably just, uh, rats... I'll just check it out... WHAT the! Blendtec! Noo! That won't blend! Aaaaauuuugghhh!
Fixed By Monday (Score:1)
It roots my phone? (Score:1)