Indeed, however we must remember that what can be loaded with module_init can also be injected via /dev/(k)mem or another modules existing module_init infected to point to this one...LKM is the delivery mechanism the payload is what is interesting. In the real world it would be a headache navigating vermagic conflicts necessitating an injection approach rather than straight LKM loading.
Christian Papathanasiou. On Sep 6, 2012 6:22 PM, "Tim" <[email protected]> wrote: > Sort of, not trying to take anything away, it's a nice rootkit. Though, in > the end, an LKM is an LKM... It's not really a new technique or a specific > vulnerability in Android. > > If attacker has root, then game the is essentially over. > > -Tim Strazzere > > > On Thu, Sep 6, 2012 at 10:20 AM, christian papathanasiou < > [email protected]> wrote: > >> On the topic of (real) kernel-level Android rootkits, I find the >> following initiative quite noteworthy: >> >> http://redmine.poppopret.org/projects/suterusu >> >> Fully fledged kernel rootkit with all the functionality we know and love. >> The only thing missing is a reverse shell. >> >> He also created a kernel level hook which unlocks the screenlock of an >> infected mobile irregardless of swipe code set if you hold down your >> phone’s volume keys in a particular sequence. >> >> Now *that* my friends is how it is done, anything else we can dismiss as >> child's play. >> >> Christian Papathanasiou >> On Sep 6, 2012 6:08 PM, "Tim" <[email protected]> wrote: >> >>> What's leading you to believe #2? I agree that is the solution if this >>> is indeed tapjacking. >>> >>> Though sadly, every time I or other people have asked for a PoC or >>> explanation, we've been met with radio silence. Until I can get my hands on >>> this or a full explanation, I'm inclined to believe that this "rootkit" is >>> just a custom launcher. >>> >>> -Tim Strazzere >>> >>> >>> On Thu, Sep 6, 2012 at 10:04 AM, Subodh Iyengar >>> <[email protected]>wrote: >>> >>>> Three things: >>>> 1. This type of malware is already known in the community, so much so >>>> that it already has a name for itself, "Tapjacking". >>>> 2. This is already solved using the setFilterTouchesWhenObscured flag >>>> in Gingerbread and beyond. >>>> 3. This type of not really a "rootkit", when the OS can detect it's >>>> running. >>>> >>>> >>>> On Wednesday, July 4, 2012 2:22:05 AM UTC-7, RichardC wrote: >>>>> >>>>> http://www.theregister.co.uk/**2012/07/04/poc_android_** >>>>> clickjacking_rootkit/<http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking_rootkit/> >>>>> >>>>> >>>>> *"The clickjacking vulnerability is present in Android 4.0.4 (Ice >>>>> Cream Sandwich) and earlier versions of the smartphone OS. The mechanism - >>>>> described as a "user interface readdresing attack" - means the malware can >>>>> be installed by a user thinking he or she is agreeing to some other action >>>>> and without a reboot. No privilege escalation is needed, nor any nobbling >>>>> of the operating system's core kernel."* >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msg/android-security-discuss/-/bb9GUmu-cVEJ >>>> . >>>> >>>> To post to this group, send email to >>>> [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]. >>>> For more options, visit this group at >>>> http://groups.google.com/group/android-security-discuss?hl=en. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Android Security Discussions" group. >>> To post to this group, send email to >>> [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/android-security-discuss?hl=en. >>> >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
