Android is a software stack for mobile devices that includes an operating system, middleware and key applications and uses a modified version of the Linux kernel. 60,000 cell phones with Android are shipping every day. Android platform ranks as the fourth most popular smartphone device-platform in the United States as of February 2010.
To date, very little has been discussed regarding rootkits on mobile devices. Android forms a perfect platform for further investigation due to its use of the Linux kernel and the existence of a very established body of knowledge regarding kernel-level rootkits in Linux.
We have developed a kernel-level Android rootkit in the form of a loadable kernel module. As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number'. This ultimately results in full root access on the Android device. This will be demonstrated (live).
The implications of this are huge; an attacker can proceed to read all SMS messages on the device/incur the owner with long-distance costs, even potentially pin-point the mobile device's exact GPS location. Such a rootkit could be delivered over-the-air or installed alongside a rogue app. Our talk will take participants down this path of development, describing how the PoC was written and laying the foundations for our research to be taken further.
Nicholas J. Percoco is the head of SpiderLabs at Trustwave - the advanced security team that has performed more than 700 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave's products through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave's premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.
Christian Papathanasiou is a Security Consultant for Trustwave. He is part of SpiderLabs - the advanced security team at Trustwave responsible for incident response, penetration testing and application security tests for Trustwave's clients. Christian's research interests include Linux kernel rootkit/anti-rootkit technology, algorithmic trading and web application security. Christian holds a MSc with Distinction in Information Security from the Information Security Group at Royal Holloway, University of London and a CISSP. He has consulted internationally in the space/defense/commercial and financial sectors in all matters relating to Information Security. Christian is also a qualified Chemical Engineer having graduated with a MEng(Hons) in Chemical Engineering from the University of Manchester Institute of Science and Technology.