Translate this blog
Wednesday, 4 July 2012
New Android rootkit ruins lives, kills kittens
That's the kind of scare story surfacing this week about a new android rootkit that needs no special permissions at all, and is completely invisible to users - and to antivirus apps.
The truth about this new threat is definitely not good, but it's far from being the terrifying android apocalypse that some would like to make it out to be.
Let's start with the rootkit itself.
Professor Xuxian Jiang of North Carolina State University created a proof of concept rootkit to highlight security flaws within Googles Android operating system. It can hide without detection from any antivirus app in any version of Android up to and including Android 4.0 (Ice Cream Sandwich), can replace system applications and secretly install malicious apps which can steal sensitive data and log everything the user does.
It works by "clickjacking", redirecting a users touchscreen interactions, it needs no special permissions nor root access and the user simply thinks they are agreeing to something different than they are when installing it thanks to the redirected input. Professor Jiang says the user would have to download a malicious app designed to infect the users android device for the rootkit to be installed, this app would then trick the operating system and its user, allowing the install of the rootkit itself.
This is indeed scary news but let's look at the facts more closely.
This is a one off application developed specifically for research purposes by a professor who is helping develop a security application called "RiskRanker" for mobile security providers NQ. It is meant to help them identify and fix security issues and the rootkit will not be released.
Indeed the mobile app he helped create for NQ is specifically designed to look at seemingly innocent apps and find such hidden dangers, and in tests on real apps from around the world successfully identified 322 zero day (meaning brand new and unknown) threats. The proof of concept rootkit is meant to highlight these security flaws and find a way to fix them which means it is a good thing that this has been discovered, not a bad thing because it means companies are working on stopping this type of attack before anyone else figures out how to carry it out for themselves and tries to put it into an actual app.
It is likely that Google can change the Android operating system to make this a non issue in the future but for now there are people looking out for such a threat, and there will be apps designed to help prevent it - not least of which is Googles Bouncer software which checks applications that developers submit to the Play store.
What we have is a single rootkit which will never be released, this means the only way you will get infected by something using the same techniques is if someone else can replicate it without access to the professor and his code.
Professor Jiang is working on ways to combat this method of access and by the time anyone else figures out how to do what he has already succeeded in doing there will be apps available that will help identify and prevent the method from working.
For now Android users need not be worried about this happening to them because no one else has yet figured out how to do this (except the professor) and, with a number of security companies constantly checking for such new threats (and with this new understanding of how the worst possible type of threat could manipulate the operating system to infect it) if such a rootkit ever gets created for non research purposes, and used, it will be detected quickly.
As with any malware or virus threat the advice to minimize your androids chances of becoming infected are simple. Download only from trusted sources such as the Play store or Amazon market and read what permissions the app you're about to install actually asks for because if a live wallpaper, for example, needs to be able to send sms text messages then it's probably not just a live wallpaper and shouldn't be installed.
So while this is not a threat always remember to use some common sense, dubious apps tend to be found on less trustworthy sites and if you are going to download from those you should at the very least read app permissions and perhaps install an antivirus app.
While I don't consider an antivirus app essential they can be useful, mainly in identifying already known malware, and though more experienced android users may berate those who wish to install extra security there is nothing wrong in having an extra "pair of eyes" looking out for known malware.