Android susceptible to sophisticated clickjacking malware

Researchers have developed a prototype rootkit capable of hiding behind legit-looking apps to steal users' data

Clickjacking rootkits could pose the next big threat for the Android platform, according to a research team out of North Carolina State University. Led by computer science professor Xuxian Jiang, the team has developed a prototype clickjacking rootkit that's more sophisticated than the other Android-oriented malware already out there.

This new prototype rootkit -- which attacks the Android framework, rather than the kernel -- differs from other malware in key ways, according to Jiang. "Unlike other rootkits for the platform, this one can function without a restart and without deep modification of the underlying firmware," Jiang explained in a video in which he demonstrates the rootkit in action. "But it can still do all the things that a rootkit wants to do, such as hide or redirect apps."

The news doesn't bode especially well for Google, whose mobile platform is the least secure among the big four -- BlackBerry OS, iOS, Windows Phone, and Android -- according to a recent survey from Trend Micro titled "Enterprise Readiness of Consumer Mobile Platforms" [PDF]. Notably, the report looked at Android 2.3, but the fact that remains that Google's inherently open ecosystem and loose app-marketplace restrictions make it less secure than its rivals. Additionally, Android is the most widely adopted mobile platform worldwide, so it's all the more appealing a target for cyber criminals. Jiang and his team have found at least a couple dozen instances of Android malware in the wild since last year.

The rootkit -- which exploits a vulnerability in Android 4.04 and earlier -- was easy to develop and "no existing mobile security software is able to detect it," Jiang told NCSU's The Abstract.

A savvy cyber criminal could use the rootkit to create malware that looks like a trustworthy application. Users might think they are installing a browser or Angry Birds, while the rootkit installs in the background. "Much like with Web clickjacking, the user thinks they are giving permission for the device to do one thing, but it's doing something else," Jiang said.

Once the rootkit is installed, a cyber criminal could have it surreptitiously steal a user's banking information, passwords, session keys, and the like. The rootkit is also capable of hiding and replacing any or all of the apps on an infected device. The prototype rootkit comes as a direct result of the Android Malware Genome Project, an effort launched by Jiang to classify existing Android malware and systematically explore possible attack vectors.

This particular clickjacking attack has not yet been observed in the wild, Jiang told InfoWorld. Still, he said, "this reflects a serious tangible threat."

This story, "Android susceptible to sophisticated clickjacking malware," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies