Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit.
A research team led by Xuxian Jiang at NC State has been trying to identify potential weaknesses in various smartphone platforms as part of an overall effort to stay ahead of attacks from “black hat” attackers.
As part of this work, Jiang was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel. The rootkit could be downloaded with an infected app and, once established, could manipulate the smartphone.
For example, the rootkit could hide the smartphone’s browser and replace it with a browser that looks and acts exactly the same – but steals all of the information you enter, such as banking or credit card data. But the rootkit’s functionality is not limited to replacing the browser – it could be used to hide and replace any or all of the apps on a smartphone. Here is a video demonstration of the app.
“This would be a more sophisticated type of attack than we’ve seen before,” says Jiang, “specifically tailored to smartphone platforms. The rootkit was not that difficult to develop, and no existing mobile security software is able to detect it.
“But there is good news. Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”
Jiang is also the founder of the Android Malware Genome Project, which is a collaborative research effort designed to improve our understanding of existing Android malware. The project was announced May 22.
The Abstract blog is the official blog of the 
Interested in receiving updates from our blog? Subscribe to our
I’ve said it before, but being an active person in the Android community, I’d really like to say thank you to the research NC State has done for Android. Always one step ahead. Proud to be an alumnus.
Also, the youtube link works, but the video states it is unlisted and will not play (odd given the link goes there).
The video worked for me!
[...] Store — which surprisingly has already been dissected by Duo Security.Today, researchers from North Carolina State University have spilled the beans on clickjacking Android 4.0 Ice Cream Sandwich. In the demo, an application is installed on the phone which allows [...]
[...] A research team at North Carolina State University led by Professor Xuxian Jiang recently announced that a security flaw in Android Version 4.0.4 and below could exploited by a rootkit with relative ease, according to an official university research blog post. [...]
This is not something new. A spy cam app (https://play.google.com/store/apps/details?id=com.nosuchware.spygear) does the same a long time ago!
The video and the text above are complete PR… Seriously give us real details on what is the rootkit is doing:
- Does it perform a privilege escalation and then run as root (so then can modify core android framework file ) ?
- Is it simply a UI trick, or does it control the processes ?
- Is there any kernel-space code for syscall interception/redirection or something like LD_PRELOAD in use space ?
- Is the demo phone rooted or no ?
Please it’s a research page, try to make it more interesting than PR from big companies …
Hi, Tom:
- Does it perform a privilege escalation and then run as root (so then can modify core android framework file ) ?
The demo itself does not perform a privilege escalation
- Is it simply a UI trick, or does it control the processes ?
It is a UI readdressing attack.
- Is there any kernel-space code for syscall interception/redirection or something like LD_PRELOAD in use space ?
No
- Is the demo phone rooted or no ?
No
Hi Xuxian,
How is that novel ? I remember hearing about it from http://seclab.stanford.edu/websec/framebusting/tapjacking.pdf and recently here: http://www.slideshare.net/phdays/hijacking-attacks-on-android-device-s
Indeed google has done some update on 2.3 to prevent that using the setFilterTouchesWhenObscured() but this has been known to be unefficient as you could still manipulate the home screen.
So what is new ?
Thanks
Hi, Tom:
I am not going to expand with more details on this. But in our demo, the UI re-addressing is done by hijacking the launcher, which is completely different from earlier overlaying-based approaches
Thanks,
–Xuxian
Hi Xuxian,
Thanks for clarifiying I’ll looking forward to reading the paper to know the details
Cheers.
Just want to clarify that to avoid alerting user, privilege escalation (or similar root access) is preferred to hijack the launcher. Otherwise, social engineering trick will be needed.