On the topic of (real) kernel-level Android rootkits, I find the following initiative quite noteworthy:
http://redmine.poppopret.org/projects/suterusu Fully fledged kernel rootkit with all the functionality we know and love. The only thing missing is a reverse shell. He also created a kernel level hook which unlocks the screenlock of an infected mobile irregardless of swipe code set if you hold down your phone’s volume keys in a particular sequence. Now *that* my friends is how it is done, anything else we can dismiss as child's play. Christian Papathanasiou On Sep 6, 2012 6:08 PM, "Tim" <[email protected]> wrote: > What's leading you to believe #2? I agree that is the solution if this is > indeed tapjacking. > > Though sadly, every time I or other people have asked for a PoC or > explanation, we've been met with radio silence. Until I can get my hands on > this or a full explanation, I'm inclined to believe that this "rootkit" is > just a custom launcher. > > -Tim Strazzere > > > On Thu, Sep 6, 2012 at 10:04 AM, Subodh Iyengar <[email protected]>wrote: > >> Three things: >> 1. This type of malware is already known in the community, so much so >> that it already has a name for itself, "Tapjacking". >> 2. This is already solved using the setFilterTouchesWhenObscured flag in >> Gingerbread and beyond. >> 3. This type of not really a "rootkit", when the OS can detect it's >> running. >> >> >> On Wednesday, July 4, 2012 2:22:05 AM UTC-7, RichardC wrote: >>> >>> http://www.theregister.co.uk/**2012/07/04/poc_android_** >>> clickjacking_rootkit/<http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking_rootkit/> >>> >>> >>> *"The clickjacking vulnerability is present in Android 4.0.4 (Ice Cream >>> Sandwich) and earlier versions of the smartphone OS. The mechanism - >>> described as a "user interface readdresing attack" - means the malware can >>> be installed by a user thinking he or she is agreeing to some other action >>> and without a reboot. No privilege escalation is needed, nor any nobbling >>> of the operating system's core kernel."* >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/android-security-discuss/-/bb9GUmu-cVEJ. >> >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
