You may not know that Android mobile phones are actually built on top of a modified Linux Kernel. According to the definition found under ANDROID.COM:
"Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack."
It is because of that Linux link that I wanted to start sharing Android news and concepts over here.
For those of you who don't know much about Android or maybe are not up to date with the project progress, I recommend watching the following video, which concentrates on demonstrating the great new features that come with the latest release, Android 2.2, codenamed "FROYO". The video is long, but very interesting, definitely worth watching. It includes demos depicting what Android is capable of today, as well as hinting at what is in store for the near future.
As Mr. Gundotra himself stresses at the beginning of this video, Android is roughly 1,5 years old. At such young age, it has made some incredible accomplishments, but some areas are still a bit immature. This is understandable, not only because of the project's youth, but also because of the crazy evolution pace the mobile device market is under. In fact, given that Android activations are now up to 160,000 a day (!!!), you can imagine how its market and community are bursting with creativity and continuous change.
IS ANDROID SECURE?
Now, it would be naive to think that all that development power would go in one direction. There will surely be people with malicious intentions, interested in exploiting potential vulnerabilities. Therefore, it is wise to keep an eye on security and continuously watch for security holes. A couple experts at Spider Labs seem to have thought of that as they created a rootkit for Android, as a proof of concept for a vulnerability they found. That malicious piece of software they built allows its developer to gain total control over the Android device.
The most concerning bit is that they apparently built this piece of malware in roughly two weeks, and, as they acknowledge themselves, "there are people who are much more motivated to do these things than we are." You may read the full story from this ARTICLE.
KEEP YOUR COOL
I think it is important to not overreact to things like this one. Making a system rock solid and fully secure takes time, and it is specially challenging within an environment that evolves as quickly as the Android one. The fact that such a vulnerability was brought up is actually good news. To begin with, that vulnerability will be fixed, but it will also trigger much more robust security features and audits from now on.
Unfortunately, the article does not really explain how that piece of malware actually works, but I found a bit more information at SLASHDOT.ORG:
"...(The piece of malicious software) is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.'"
Therefore, this apparently means that the actual malware must be installed on the device (they don't really explain how this would happen) before the device owner picks up that 'trigger number' call in order for it to work. It's hard to judge the real impact of this vulnerability with so little information, but it sounds to me like installing software that exclusively comes from verified sources should avoid the problem.
NOTE: It is important to understand that this vulnerability is NOT a Linux one, but specific to Android.
Thanks for reading!