This weekend security experts at the Def Con 18 conference in Las Vegas demonstrated just how vulnerable companies are to outside attacks.
A software application, developed by Spider Labs, was used to demonstrate how information on Android phones can be easily stolen.
The software, conveniently called the rootkit, allows its developer to gain control of the Android device, subsequently giving hackers access to texts and email messages on Android phones.
The kernel-level Android rootkit, which disguises itself in the form of a loadable kernel module, is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a ‘trigger number.’ This ultimately results in full root access on the Android device.
According to Nicholas J. Percoco, the head of SpiderLabs at Trustwave:
“The implications of this are huge; an attacker can proceed to read all SMS messages on the device/incur the owner with long-distance costs, even potentially pin-point the mobile device’s exact GPS location. Such a rootkit could be delivered over-the-air or installed alongside a rogue app.”
Though not limited to these devices, the exploit was demonstrated on the HTC Legend  and Desire Android handsets. Percoco distributed DVDs of the rootkit tool to persuade manufacturers to patch the bug that allows such access.
The annual conference, which had over 10,000 in attendance, is designed to allow hackers and security experts to break codes and improve security systems. Considering that about 160,000 Android phones are activated every day, does this vulnerability pose a massive threat?
I am no expert on the subject but some thoughts crossed my mind about this exploit. Doesn’t the user need to have root access on their phone for this exploit to work? And if the rootkit gains access doesn’t that mean you now have a rooted device? An exploit or a new rooting method?
On the other hand, if my phone was already rooted, wont the “su request†dialog prompt me if a malicious rootkit tried to gain root access to my device? I think this exploit should be attributed more to the user rather than the device. This may not necessarily mean it’s a security issue of Android mobile devices, but rather a user interaction issue.
Is this any different from a phishing email that prompts you for your bank account or email password or this is a serious security issue? Â Any thoughts on this?