Android is a software stack for mobile devices that includes an operating system, middleware and key applications and uses a modified version of the Linux kernel. 60,000 cell phones with Android are shipping every day. Android platform ranks as the fourth most popular smartphone device-platform in the United States as of February 2010.
To date, very little has been discussed regarding rootkits on mobile devices. Android forms a perfect platform for further investigation due to its use of the Linux kernel and the existence of a very established body of knowledge regarding kernel-level rootkits in Linux.
We have developed a kernel-level Android rootkit in the form of a loadable kernel module. As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number'. This ultimately results in full root access on the Android device. This will be demonstrated (live).
The implications of this are huge; an attacker can proceed to read all SMS messages on the device/incur the owner with long-distance costs, even potentially pin-point the mobile device's exact GPS location. Such a rootkit could be delivered over-the-air or installed alongside a rogue app. Our talk will take participants down this path of development, describing how the PoC was written and laying the foundations for our research to be taken further.