Marketingmobile OSMobilitySecurityWorkspace

Android Rootkit Created (And Spam Botnet Is Reported)

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Two worries for Android security: a nasty rootkit is created in the lab, while a botnet may have been spotted

A rootkit targeting Android devices has been created by a US-based researcher, highlighting flaws in the Google operating system, whilst what is believed to be the first Android-based spamming botnet has been spotted.

A study by Xuxian Jiang, computer science professor at North Carolina State University, showed how the Android rootkit could be used to upload malware to phones or tablets.

A separate functionality could also be used by an attacker to record browser activity, potentially allowing them to pilfer sensitive data. It would do so by hiding the smartphone’s browser and replacing it with a fake that steals information.

Android rootkit is not deep

The rootkit could also hide and replace any or all of the apps on an Android smartphone. It can also function without a restart and without “deep modification” of Android’s Linux kernel. The most stealthy rootkits aim to infect low-level systems like the kernel.

The flaws exploited by the rootkit are found in all Android operating systems up to Ice Cream Sandwich (Android 4.0.4).

“This would be a more sophisticated type of attack than we’ve seen before, specifically tailored to smartphone platforms,” said Jiang, “The rootkit was not that difficult to develop, and no existing mobile security software is able to detect it.

“But there is good news. Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”

Jiang was unclear how the rootkit would get on the device, but it would most likely require a user to download a malicious application either from the official Google Play market or a third-party app store. Below is a video from Jiang, showing what the rootkit can do:

Meanwhile, security researcher Terry Zink claimed to have come across evidence of a botnet running on Android devices. Most botnets make use of the plentiful supply of unprotected PCs on the network to create subverted agents for malicious activity such as sending spam and launching denial of service attacks, but it has long been feared that the model could be applied to Android phones.

Zink claims to have found messages sent from compromised Yahoo Mail accounts on Android. “We’ve all heard the rumours, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.  These devices login to the user’s Yahoo Mail account and send spam,” Zink said in a blog post.

“I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for.  Either that or they acquired a rogue Yahoo Mail app.”

Google said it would not comment on either the botnet or the rootkit. It did offer this comment though: “We are committed to providing a secure experience for consumers in Google Play, and in fact our data shows between the first and second halves of 2011, we saw a 40 percent decrease in the number of potentially-malicious downloads from Google Play. Last year we also introduced a new service into Google Play that provides automated scanning for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process.”

Android remains the most targeted of all mobile operating systems. Kaspersky recently spotted a set of malicious Android applications posing as security software.

In the US,  the Defence Advanced Research Projects Agency (DARPA) has awarded a $21.4 million (£13.7m) contract to create a locked-down version of Android so it can use the OS in battlefield scenarios.

Are you a security guru? Try our quiz!