Tuesday, August 3, 2010

Android rootkit created in just two weeks

You may not know that Android mobile phones are actually built on top of a modified Linux Kernel. According to the definition found under ANDROID.COM:

"Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack."

It is because of that Linux link that I wanted to start sharing Android news and concepts over here.


For those of you who don't know much about Android or maybe are not up to date with the project progress, I recommend watching the following video, which concentrates on demonstrating the great new features that come with the latest release, Android 2.2, codenamed "FROYO". The video is long, but very interesting, definitely worth watching. It includes demos depicting what Android is capable of today, as well as hinting at what is in store for the near future.

As Mr. Gundotra himself stresses at the beginning of this video, Android is roughly 1,5 years old. At such young age, it has made some incredible accomplishments, but some areas are still a bit immature. This is understandable, not only because of the project's youth, but also because of the crazy evolution pace the mobile device market is under. In fact, given that Android activations are now up to 160,000 a day (!!!), you can imagine how its market and community are bursting with creativity and continuous change.


Now, it would be naive to think that all that development power would go in one direction. There will surely be people with malicious intentions, interested in exploiting potential vulnerabilities. Therefore, it is wise to keep an eye on security and continuously watch for security holes. A couple experts at Spider Labs seem to have thought of that as they created a rootkit for Android, as a proof of concept for a vulnerability they found. That malicious piece of software they built allows its developer to gain total control over the Android device.

The most concerning bit is that they apparently built this piece of malware in roughly two weeks, and, as they acknowledge themselves, "there are people who are much more motivated to do these things than we are." You may read the full story from this ARTICLE.


I think it is important to not overreact to things like this one. Making a system rock solid and fully secure takes time, and it is specially challenging within an environment that evolves as quickly as the Android one. The fact that such a vulnerability was brought up is actually good news. To begin with, that vulnerability will be fixed, but it will also trigger much more robust security features and audits from now on.

Unfortunately, the article does not really explain how that piece of malware actually works, but I found a bit more information at SLASHDOT.ORG:

"...(The piece of malicious software) is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.'"

Therefore, this apparently means that the actual malware must be installed on the device (they don't really explain how this would happen) before the device owner picks up that 'trigger number' call in order for it to work. It's hard to judge the real impact of this vulnerability with so little information, but it sounds to me like installing software that exclusively comes from verified sources should avoid the problem.

NOTE: It is important to understand that this vulnerability is NOT a Linux one, but specific to Android.

Thanks for reading!


  1. Hi Chema, love your blog. This is slightly off topic but is still security related and i would appreciate your input on the following:

    Mint cant authenticate downloaded packages by default. I installed Mint 9 KDE and noticed authentication failure on every package during first update. Went googling and found this thread on Mint forum which confirms that third most popular Linux distro is not capable of authenticating its own binaries, or any other binaries.

    This is not mentioned in the Mint release notes as it should be. I am not a techie but this sounds like a serious security issue which is unresolved from version 7. Would this stop you from using or recommending Mint. All the best, Singu

  2. Hi, Singu,

    Wow, I had installed KDE Mint recently to take a quick look, but did it on a virtual machine. As a result, I didn't bother updating, so I didn't realise this problem was there.

    In my opinion, this is a big issue, specially from the point of view of the release itself. One has to wonder how they tested if they didn't catch something this fundamental.

    In practical terms, as long as the user does not add "obscure" repositories, the distro is only including validated ones to start with. In other words, even if the client does not authenticate its own binaries, we know they have been validated on the server side, so they should be 100% safe.

    Would I recommend Linux Mint 9 KDE? Probably not. There are many other KDE distributions out there that do significantly better. PCLinuxOS 2009.7 is probably the first to spring to mind.

    In my opinion, if you are going to use Mint or Ubuntu, both predominantly GNOME distros, why use the alternative (weaker) options?

    A bit off topic, but I personally think Canonical should concentrate all its resources in Ubuntu and abandon any other flavors. That would allow them to polish their releases, work on resident bugs, improve their artwork and go back to being a stable and reliable distro. Something similar applies to Mint.

  3. Thank you for your reply
    Not one Mint review mentiones this either, people dont expect they have to check apt-get default behaviour, and think release notes or distributions web page has all the distro and version relevant info. I hope you will ad addendum about this in your previous and future Mint reviews. you would be first in doing so. I think potential users should be aware of this, since this is a security issue. All Mint DE versions have the same changed apt-get behaviour by default. From what I can gather from that linked forum thread, this is known and intentional apt-get behaviour setup for the sake of devs convenience, so this is not considered a bug or an issue on their part, which probably explains why its not mentioned in the release notes. I have left similar posts on most Mint reviews from DistroWatch links, and sent emails to DistroWatch, and others about this. I hope this will not look like I am spreading FUD about Mint or being looked upon as some nutcase. I just feel people with more media weight should ask Mint devs some questiones since Mint is the only *buntu/debian distro that has this strange apt-get behaviour. This is also third most popular distro according to DistroWatch, and it is learning Linux noobs to blast their way through authentication warnings when they update or download software. Seems like one of those "Somebody would have noticed" stories, very strange.
    I can only accept your point about default repositories since I am not a technical savy person but I think most people always add extra stuff.
    When I finally convinced my brother to try Linux, KDE similarity with Windows was something he immediately liked, so Kubuntu LTS it was. Mint issue jumped while testing it,only reason it was tested was post-install conveniance. I will probably wait for debian 6, which will go on my parents computers.
    I could not agree more with your point about Canonical, and it applys to alot of other distros as well. Management and clear software direction in opensource looks quite more difficult then in regular companies. Devs are only obligated to their passions, and yet someone has to steer and sync them together and we all know devs egoes are second only to those of writers. On that note, this has been a long writeup, once again thanks for your reply. All the best, Singu

  4. First off, thanks for your comments, I am glad you liked my blog!

    I read more about this and I agree it is a concern. Having said so, it is importanto to understand the extent of that concern.

    1.- This warning appears when using apt-get, which is kinda defeating the purpose of using Mint in the first place. Mint developers did an incredible job in creating the Software Manager, which does not suffer from this issue. In that regard, apt-get is probably just a resident package manager for them. I wouldn't be surprised if they considered this a low priority for that very reason.

    2.- In a perfect situation, Mint should only throw that warning when downloading unsigned packages. Therefore, the problem here is that such behavior "programs" the user to simply ignore such security warnings. This is obviously dangerous and not desireable, but like I said before, it should not have any significancy as long as no new repos are added.

    3.- If dark/obscure repos are added, it is not that unusual to find unsigned packages in them. In fact, even if they were signed, it wouldn't mean much unless proper quality and security control is put in place by the repository owner(s), which may not always be the case. In other words, adding repositories which are not clearly worthy of trust is always a bit dangerous, not recommended unless you know what you are doing.

    Long story short, I don't see this matter as a big issue. Mint is built with ease of use in mind, which probably explains why they are not crazy about fixing this problem. On top of that, Mint + Ubuntu repositories already include a very rich application catalog, so adding new repositories should not be a big priority. Having said so, it looks like some people agree with you and are chasing this open issue, so I wouldn't be surprised if it was fixed soon.

    Thanks again!

  5. Thank you for your time, effort and patience.
    Your last post clarifies this issue further and I find it resolved, so no further discussion necessary. I hope you would consider posting similar post in Mint forum and suggesting to moderators to make it a sticky, so there is something people can be referenced to if they ask questions about this. There is nothing in the Mint web site or forum even remotely concise and clear like your last post here.
    Personally, I am not ready to give up on security features that can be easily found in other distributions, more so as I wanted to put Mint on my parents/family computers.
    Lack of info about this is to me more frustrating, there is no reason why something similar to your last post cant be found on Mint web site or forum sticky. Why should end users trouble third party people about issues that have enough weight to be mentioned and explained further.
    Again, thanks for your time and consider this discussion closed. All the best, Singu.

  6. @Singu: Thanks to you, that was a great point you raised.

    As for using another distro, just go for it. The best thing about Linux is that it is all about freedom, so be sure to give other distros a chance.

    Thanks again.