By Dana Tierney, Senior Editor, Fusion Authority
In the last quarter of 2009, an estimated 485 million people had 3G cell phones. By 2020, that number will reach ten billion. A majority of those users keep their phones with them at all times, particularly executives and information technology workers, Trustwave SpiderLabs researchers Christian Papathanasiou and Nicholas Percoco wrote in a white paper distributed at DefCon. Users also almost universally consider their smartphones more secure than a public computer. But malware can target these devices just like any others, with an added danger — the hardware abstraction that makes them easy to use prevents the user from detecting the infection.
Percoco and Papathanasiou demonstrated at DefCon Saturday that the wildly popular Android, based on the Linux 2.6.x kernel, can be infected with an undetectable rootkit that then has access to system hardware such as the camera, microphone and GPS. The SpiderLabs researchers' exploit required physical access to the phone and a subsequent phone call to trigger it, but another vulnerability demonstrated at DefCon could probably be used to circumvent that inconvenience, they said at a press conference,
"using their attack and our payload."
Alternatively, a rootkit conceivably could ship with the phone by government mandate, they added, citing a Blackberry
"update" by United Arab Emirates mobile carrier Etisalat, which many considered malware. That update, which allowed lawful intercepts of user information, was written by a US firm, SS8.
The Android uses Linux for I/O with its hardware. The user cannot see below the application layer. Any performance issues will probably be shrugged off as a bug as the user reboots, Percoco said at a press conference.
The SpiderLabs rootkit demonstrated at DefCon can redirect outbound calls by hijacking sys_write and modifying the buffer. It also can get access to the GPS at /dev/smd27. The researchers believe that other smartphones may also use the loadable kernel modules that make this infection possible, but so far have only tested the rootkit on the Android.
Most of the Android's functionality lives in the libraries just below the application layer. A SQLite database provides storage for call records and SMS records. But it's the Linux kernel at the next layer down that controls the hardware.
Unlike traditional rootkits, kernel root kits can hide processes from /proc and the ps and lsmod commands will not reveal them. They have
"hooks" which register their address as the location of a given function and execute when that function is called.
System calls, used for file, process and network operations, are stored in the sys_call_table. Versions of the Linux kernel above 2.5 no longer export this table, but it can still be found in System.map.
Papathanasiou and Percoco had problems recompiling the kernel due to non-matching version magics but resolved them by modifying include/Linux/utsrelease.h. They then wrote a debug loadable kernel module to intercept and map system calls and parsed dmesg to reveal phone commands.
They sent a reverse tcp to the attacker using the phone's 4G or wi-fi. The rootkit hijacks sys_read and parses it for ATT CLCC values. If an entry matches the attacker phone, the rootkit then calls the reverse shell, which uses the call_usermodehelper function to spawn the reverse shell as a child of the kernel event keventd. Hijacking sys_getdents allowed them to hide the reverse shell binary, which otherwise would have been visible in the file system.
This allows the attacker to make calls with the phone, read mail and text messages, retrieve GPS information and conceivably to record events with the camera and microphone.
"Clearly bad, when this is happening then it's game over," commented another researcher who had presented a different mobile vulnerability at DefCon.
The average consumer can't do much to prevent infection, but phone manufacturers could help prevent this type of exploit by requiring developers to use signed modules.
Dana Tierney is the Senior Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...