Clickjacking Rootkits for Android: the Next Big Threat?

07.02.2012 |

Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit.

A research team led by Xuxian Jiang at NC State has been trying to identify potential weaknesses in various smartphone platforms as part of an overall effort to stay ahead of attacks from “black hat” attackers.

As part of this work, Jiang was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel. The rootkit could be downloaded with an infected app and, once established, could manipulate the smartphone.

For example, the rootkit could hide the smartphone’s browser and replace it with a browser that looks and acts exactly the same – but steals all of the information you enter, such as banking or credit card data. But the rootkit’s functionality is not limited to replacing the browser – it could be used to hide and replace any or all of the apps on a smartphone. Here is a video demonstration of the app.

“This would be a more sophisticated type of attack than we’ve seen before,” says Jiang, “specifically tailored to smartphone platforms. The rootkit was not that difficult to develop, and no existing mobile security software is able to detect it.

“But there is good news. Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”

Jiang is also the founder of the Android Malware Genome Project, which is a collaborative research effort designed to improve our understanding of existing Android malware. The project was announced May 22.

Tags:


12 Responses to “Clickjacking Rootkits for Android: the Next Big Threat?”

  1. s15274n says:

    I’ve said it before, but being an active person in the Android community, I’d really like to say thank you to the research NC State has done for Android. Always one step ahead. Proud to be an alumnus.

  2. s15274n says:

    Also, the youtube link works, but the video states it is unlisted and will not play (odd given the link goes there).

  3. s15274n2 says:

    The video worked for me!

  4. [...] Store — which surprisingly has already been dissected by Duo Security.Today, researchers from North Carolina State University have spilled the beans on clickjacking Android 4.0 Ice Cream Sandwich. In the demo, an application is installed on the phone which allows [...]

  5. [...] A research team at North Carolina State University led by Professor Xuxian Jiang recently announced that a security flaw in Android Version 4.0.4 and below could exploited by a rootkit with relative ease, according to an official university research blog post. [...]

  6. Dead Bird says:

    This is not something new. A spy cam app (https://play.google.com/store/apps/details?id=com.nosuchware.spygear) does the same a long time ago!

  7. tom says:

    The video and the text above are complete PR… Seriously give us real details on what is the rootkit is doing:

    - Does it perform a privilege escalation and then run as root (so then can modify core android framework file ) ?
    - Is it simply a UI trick, or does it control the processes ?
    - Is there any kernel-space code for syscall interception/redirection or something like LD_PRELOAD in use space ?
    - Is the demo phone rooted or no ?

    Please it’s a research page, try to make it more interesting than PR from big companies …

  8. Xuxian Jiang says:

    Hi, Tom:

    - Does it perform a privilege escalation and then run as root (so then can modify core android framework file ) ?

    The demo itself does not perform a privilege escalation

    - Is it simply a UI trick, or does it control the processes ?

    It is a UI readdressing attack.

    - Is there any kernel-space code for syscall interception/redirection or something like LD_PRELOAD in use space ?

    No

    - Is the demo phone rooted or no ?
    No

  9. tom says:

    Hi Xuxian,

    How is that novel ? I remember hearing about it from http://seclab.stanford.edu/websec/framebusting/tapjacking.pdf and recently here: http://www.slideshare.net/phdays/hijacking-attacks-on-android-device-s

    Indeed google has done some update on 2.3 to prevent that using the setFilterTouchesWhenObscured() but this has been known to be unefficient as you could still manipulate the home screen.

    So what is new ?

    Thanks

  10. Xuxian Jiang says:

    Hi, Tom:

    I am not going to expand with more details on this. But in our demo, the UI re-addressing is done by hijacking the launcher, which is completely different from earlier overlaying-based approaches

    Thanks,
    –Xuxian

  11. tom says:

    Hi Xuxian,

    Thanks for clarifiying I’ll looking forward to reading the paper to know the details ;)

    Cheers.

  12. Xuxian Jiang says:

    Just want to clarify that to avoid alerting user, privilege escalation (or similar root access) is preferred to hijack the launcher. Otherwise, social engineering trick will be needed.

Leave a Reply