It was revealed by IT security researchers Nicholas Percoco and Christian Papathanasiou at the “DEFCON 18” hacking conference held last weekend that your Android device can be compromised with a rootkit! This rootkit either masquerades as a legitimate application, or exploits your device through unpatched vulnerabilities in its software.

During the conference, the two researchers demonstrated this by presenting their first ever rootkit for an Android device. They were able to show how easy it could be to create such a rootkit, how to spread that rootkit to thousands of devices using infected applications, and how dangerous it can be when it is activated on a mobile phone.

Called the “Mindtrick”, this rootkit uses Loadable Kernel Module (LKM) to allow attackers to control the infected mobile phone remotely. The text messages, information about contacts, and call history of the victim would be completely accessible to the attacker. Therefore, since the rootkit can hide itself from being detected by other programs, attackers could use the compromised mobile to call numbers with expensive fees without it showing up on the display and alerting the owner. It could even be used to track the location of the device using available GPS systems.

“Mindtrick” would be activated on the Android device when it is called with a particular number. It then connects to the computer of the attacker and then would be at the mercy of the computer of the attacker. Since anti-virus software currently available for Android phones does not yet recognize the rootkit, there is a big chance that new Android users devices may be exploited until the proper measures are made to stop rootkits like this one from infecting their phones.

While Google has a module that allows it to remotely delete data at the application level, it is uncertain if this would work at a kernel level to disable rootkits affecting Android devices. The simplest way to guard from LKM based rootkit infection would be to add an additional procedure. This procedure in the device will check whether a module has a valid signature from the maker before installing new software on the device. Many devices including the one used in the demonstration do not seem to have this feature.

Interested about SecPoint? Learn more About us, our Products, and Resources.