Android rootkit now in the wild.

[goalpostcasualty]

I stumbled upon a rootkit that specifically targets Android phones, and would give third-parties full control over your phone.

Thought you might find it interesting/scary/fun so here's the link to my article about it: http://extorian.co.uk/blog/227/android-rootkit-found-in-the-wild/

 

[Psilocybin]

lol lets give it a read
didnt know u had a page bro, nice

 

[amandasweetie21]

Yes, that's a little scary.

 

[Ijong]

awesome find!

 

[Omi!!!]

I actually like the way in which he finds the syscall table. It's super-basic without any obfuscation since there's no real virus scanner to worry about.

What he's lacking is what he addresses


So, he can get root but he can't figure out how to intercept.

What he's doing is very basic, and really no need to panic yet. It's running as a module, which Android won't allow from the NDK I believe (Google's not that dumb to allow modules to be added to the kernel). If he can intercept calls, and can get it to act on them without running as a module, then I'd worry. Still, someone creative enough can find a way around it I'm sure.

 

[Petula]

True, but if you look at the comments afterwards the code is re-written, then a few comments down from that someone says:

 

[sarah!!!]

Eek

I wonder if he's still running it as a module though. Because as a module you're basically given full rights to mess around in those tables.

 

[Amira-Leila]

Some kernels on custom ROMs are compiled with module support... I have no idea if the common ones (like Cyan's) are or not.

And, I know a way to get insmod (a cut down version of modprobe) working without kernel support using kmalloc - which you can install and run once you have root access, or bundle as part of your malicious app. Just a theory anyway.

 

[oizuki]

Me to,Well Done extorian