updated 06:45 pm EDT, Fri July 30, 2010
Security experts make silent Android malware
SpiderLabs showed a rootkit at the Black Hat conference today that could compromise an Android phone without its owner's knowledge. The exploit, handed out on DVD at the hacking and security meetup, would let the wielder get complete control and personal data from an Android phone without triggering alerts. Team lead Nicholas Percoco said the app took just two weeks to build and would affect even modern Android 2.1 devices such as the HTC Desire and Legend.
The attack was made in an example of "ethical hacking" and was designed to pressure Google into closing the hole that made the root possible. Percoco didn't provide details of how the code worked, but he was expected to provide more details on Saturday. Rooting is increasingly common in Android as a whole as it gives more control over what apps and features can run.
Google hadn't commented on SpiderLabs' discovery as of Friday evening.
The hacking tool's creation comes just on the heels of concerns about Android Market apps also obtaining private data without the user's consent. As a platform, Android has been complimented for its freedom of choice but has also raised security issues as apps often have more control over core functions than they do on iOS or webOS. Google has been given similar mixed treatment for its app approval policies, as it intervenes significantly less in the submission process than Apple but has also been accused of letting a larger number of questionable apps reach the public.
Except for most AT&T devices, Android also has an option of allowing non-Market apps to install that could pose more of a risk, but the feature is turned off by default and warns users of the possible dangers. Similar permission isn't an option on the iPhone and requires a jailbreak.