Security researchers plan to demonstrate a rootkit running on an Android-based smartphone that could give an intruder full access to all the functions of the device.
Nicholas Percoco and Christian Papathanasiou are scheduled to make the demonstration at the Defcon security conference in Las Vegas in July. The researchers, from security firm Trustwave, will show that the kernel-level rootkit is capable of reading the text messages on an Android phone, making unauthorised long-distance calls and pinpointing the device's location via GPS, according to the conference programme.
The malware is activated by an incoming call from a 'trigger number', upon which it sends a shell to the attacker, allowing them administrative access via a 3G or Wi-Fi connection. A shell is a piece of software providing an interface to an operating system kernel.
The researchers did not explain how they bypassed Android's security measures to install the rootkit, but said the code could be installed over a wireless link or alongside a malicious application.
Percoco and Papathanasiou said they used Android as a target because the platform runs on a Linux kernel. "Android forms a perfect platform for further investigation due to its use of the Linux kernel and the existence of a very established body of knowledge regarding kernel-level rootkits in Linux," they wrote.
The rootkit runs as a loadable kernel module, giving it full access to all of the handset's functions, Percoco and Papathanasiou said.
In the past, Google has emphasised the security precautions it has taken to prevent malicious code from affecting other applications or gaining kernel access. These include designing its security architecture so that no application has default permission to perform operations that would adversely affect other applications or the operating system. On Thursday, it pointed out that an intruder would need root-level access to carry out the attack outlined in the research.
"Rootkits, which exist for every major OS (Linux, Windows, OS X), only pose a risk to users if they can be installed on users' devices. Installing this particular rootkit first requires gaining root-level system privileges on the device, and the Android system is designed to stop unintended root level access," a Google spokesperson said. "Android uses a variety of security controls to help prevent the installation of rootkits and other malware, including our application sandbox, stack protection, checks against heap overflows, and others."
Rootkits use various techniques to make themselves difficult to detect by conventional security software. The problem is more serious for mobile platforms, which lack the security software available for desktop systems, according to researchers.
In February, researchers from Rutgers University demonstrated a rootkit running on the Neo Freerunner smartphone, which also runs on Linux. The Rutgers researchers noted in their paper on the subject that rootkit detection on smartphones poses significant challenges due to to factors such as handsets' limited processing power.
"Existing rootkit detection techniques, which have primarily been developed for desktop systems, employ heavyweight mechanisms that require periodic scans of kernel memory snapshots," the researchers wrote. "Such techniques will likely place substantial energy demands if used on smartphones."
In any case, rootkit-detection technologies such as virtual machine monitors currently have only limited support on mobile platforms, they said.
Analysts have predicted that Android will be the fastest-growing smartphone operating system in the next three years, when it is expected to overtake both Research in Motion and Apple's operating systems. Symantec last week introduced an initiative called Norton Everywhere, which includes an Android security suite providing malware protection and other features.
