Back to the "custom launcher" malware, the best information I've read was in the comments on the original NCSU blog post by Xuxian
http://web.ncsu.edu/abstract/technology/wms-jiang-clickjack/ - Jared O On Thursday, September 6, 2012 1:08:10 PM UTC-4, strazzere wrote: > > What's leading you to believe #2? I agree that is the solution if this is > indeed tapjacking. > > Though sadly, every time I or other people have asked for a PoC or > explanation, we've been met with radio silence. Until I can get my hands on > this or a full explanation, I'm inclined to believe that this "rootkit" is > just a custom launcher. > > -Tim Strazzere > > > On Thu, Sep 6, 2012 at 10:04 AM, Subodh Iyengar > <[email protected]<javascript:> > > wrote: > >> Three things: >> 1. This type of malware is already known in the community, so much so >> that it already has a name for itself, "Tapjacking". >> 2. This is already solved using the setFilterTouchesWhenObscured flag in >> Gingerbread and beyond. >> 3. This type of not really a "rootkit", when the OS can detect it's >> running. >> >> >> On Wednesday, July 4, 2012 2:22:05 AM UTC-7, RichardC wrote: >>> >>> http://www.theregister.co.uk/**2012/07/04/poc_android_** >>> clickjacking_rootkit/<http://www.theregister.co.uk/2012/07/04/poc_android_clickjacking_rootkit/> >>> >>> >>> *"The clickjacking vulnerability is present in Android 4.0.4 (Ice Cream >>> Sandwich) and earlier versions of the smartphone OS. The mechanism - >>> described as a "user interface readdresing attack" - means the malware can >>> be installed by a user thinking he or she is agreeing to some other action >>> and without a reboot. No privilege escalation is needed, nor any nobbling >>> of the operating system's core kernel."* >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/android-security-discuss/-/bb9GUmu-cVEJ. >> >> To post to this group, send email to >> [email protected]<javascript:> >> . >> To unsubscribe from this group, send email to >> [email protected] <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/ZJuSmvcCPiwJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
