Skip to main content

Clickjacking Rootkits for Android: The Next Big Threat?

Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit.

A research team led by Xuxian Jiang at NC State has been trying to identify potential weaknesses in various smartphone platforms as part of an overall effort to stay ahead of attacks from “black hat” attackers.

As part of this work, Jiang was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel. The rootkit could be downloaded with an infected app and, once established, could manipulate the smartphone.

For example, the rootkit could hide the smartphone’s browser and replace it with a browser that looks and acts exactly the same – but steals all of the information you enter, such as banking or credit card data. But the rootkit’s functionality is not limited to replacing the browser – it could be used to hide and replace any or all of the apps on a smartphone. Here is a video demonstration of the app.

“This would be a more sophisticated type of attack than we’ve seen before,” says Jiang, “specifically tailored to smartphone platforms. The rootkit was not that difficult to develop, and no existing mobile security software is able to detect it.

“But there is good news. Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”

Jiang is also the founder of the Android Malware Genome Project, which is a collaborative research effort designed to improve our understanding of existing Android malware. The project was announced May 22.

Leave a Response

Your email address will not be published. All fields are required.

  1. Just want to clarify that to avoid alerting user, privilege escalation (or similar root access) is preferred to hijack the launcher. Otherwise, social engineering trick will be needed.

  2. Hi, Tom:

    I am not going to expand with more details on this. But in our demo, the UI re-addressing is done by hijacking the launcher, which is completely different from earlier overlaying-based approaches

    Thanks,
    –Xuxian

  3. Hi, Tom:

    – Does it perform a privilege escalation and then run as root (so then can modify core android framework file ) ?

    The demo itself does not perform a privilege escalation

    – Is it simply a UI trick, or does it control the processes ?

    It is a UI readdressing attack.

    – Is there any kernel-space code for syscall interception/redirection or something like LD_PRELOAD in use space ?

    No

    – Is the demo phone rooted or no ?
    No

  4. The video and the text above are complete PR… Seriously give us real details on what is the rootkit is doing:

    – Does it perform a privilege escalation and then run as root (so then can modify core android framework file ) ?
    – Is it simply a UI trick, or does it control the processes ?
    – Is there any kernel-space code for syscall interception/redirection or something like LD_PRELOAD in use space ?
    – Is the demo phone rooted or no ?

    Please it’s a research page, try to make it more interesting than PR from big companies …

  5. Also, the youtube link works, but the video states it is unlisted and will not play (odd given the link goes there).

  6. I’ve said it before, but being an active person in the Android community, I’d really like to say thank you to the research NC State has done for Android. Always one step ahead. Proud to be an alumnus.

More From NC State News